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Abstract. The coalgebraic approach to modal logic provides a uniform framework that 
captures the semantics of a large class of structurally different modal logics, including 
e.g. graded and probabilistic modal logics and coalition logic. In this paper, we intro- 
duce the coalgebraic /i-calculus, an extension of the general (coalgebraic) framework with 
fixpoint operators. Our main results are completeness of the associated tableau calculus 
and Exptime decidability for guarded formulas. Technically, this is achieved by reducing 
satisfiability to the existence of non-wellfounded tableaux, which is in turn equivalent to 
the existence of winning strategies in parity games. Our results are parametric in the 
underlying class of models and yield, as concrete applications, previously unknown com- 
plexity bounds for the probabilistic ^t-calculus and for an extension of coalition logic with 
fixpoints. 



1. Introduction 

The extension of a modal logic with operators for least and greatest fixpoints leads to a 
dramatic increase in expressive power [1]. The paradigmatic example is of course the modal 
/x-calculus [2]. In the same way that the /i-calculus extends the modal logic K, one can 
freely add fixpoint operators to any propositional modal logic, as long as modal operators 
are monotone. Semantically, this poses no problems, and the interpretation of fixpoint 
formulas can be defined in a standard way in terms of the semantics of the underlying 
modal logic. 

This apparent simplicity is lost once we move from semantics to syntax: completeness 
and complexity even of the modal //-calculus are all but trivial [STJ E] > an d /i-calculi arising 
from other monotone modal logics are largely unstudied, with the notable exception of the 
graded //-calculus [21]. Here, we improve on this situation, not by providing a new com- 
plexity result for a specific fixpoint logic, but by providing a generic and uniform treatment 
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of modal fixpoint logics on the basis of coalgebraic semantics. This allows for a generic 
and uniform treatment of a large class of modal logics and replaces the investigation of 
a concretely given logic with the study of coherence conditions that mediate between the 
axiomatisation and the (coalgebraic) semantics. The use of coalgebras conveniently ab- 
stracts the details of a concretely given class of models, which is replaced by the class of 
coalgebras for an (unspecified) endofunctor on sets. Specific choices for this endofunctor 
then yield specific model classes, such as the class of all Kripke frames or probabilistic 
transition systems. A property such as completeness or complexity of a specific logic is 
then automatic once the coherence conditions are satisfied. As it turns out, even the same 
coherence conditions that guarantee completeness and decidability of the underlying modal 
logic entail the same properties of the ensuing //-calculus. This immediately provides us 
with a number of concrete examples: as instances of the generic framework, we obtain not 
only the known Exptime bounds, both for the modal and the graded //-calculus 0121], but 
also previously unknown Exptime bounds for the probabilistic and monotone //-calculus, 
and for an extension of coalition logic |18j with fixpoint operators. 

Our main technical results are a syntactical characterisation of satisfiability in terms 
of (non-) existence of closed tableaux and a game-theoretic characterisation of satisfiability 
that yields an Exptime upper bound for the satisfiability problem for guarded formulas. 
Along the way, we establish a small model theorem. Here, as usual, a formula is called 
guarded if every fixpoint variable occurs only within the scope of a modal operator. If we 
assume that every formula can be transformed into an equivalent guarded formula in poly- 
nomial time, our EXPTIME decidability result extends to the full coalgebraic //-calculus. 
This assumption is generally made in the literature on the modal //-calculus [15], but a 
recent paper pT] argues that in fact no algorithm is known that can perform the transfor- 
mation in polynomial time. Therefore we formulate our EXPTIME-decidability result more 
restrictive than in [4j. We nevertheless conjecture that our tableau calculus can be used for 
proving EXPTIME-decidability for the full coalgebraic //-calculus. 

We start by describing a parity game that characterizes model checking for the coal- 
gebraic //-calculus. As in the model-checking game for the modal //-calculus (see e.g. [25]). 
we allow greatest and least fixpoints to be unfolded ad libitum. Truth of a formula in a 
particular state of a model then follows, if only greatest fixpoints are unfolded infinitely 
often on the top level along infinite paths, which is captured by a parity condition. The 
same technique is employed in the construction of tableaux, which we conceptualise as fi- 
nite directed graphs: closed tableaux witness unsatisfiability of the root formula, provided 
that along any infinite tableau path one can construct an infinite sequence of formulas (a 
trace that tracks the evolution of formulas in a tableau) that violates the parity condition. 
In particular, closed tableaux are finitely represented proofs of the unsatisfiability of the 
root formula. Soundness of the tableau calculus is established by showing that a winning 
strategy in the model checking game precludes existence of a closed tableau. Decidability is 
then established with the help of tableau games, where the adversary chooses a tableau rule, 
and the player claiming satisfiability chooses one conclusion which effectively constructs a 
path in a tableau. In order to turn this tableau game into a parity game we combine the 
game board with the transition function of a deterministic parity word automaton. This 
automaton checks that on any given play, i.e., on any tableau path, there exists no trace 
that violates the parity condition. We prove adequacy of the tableau game by constructing 
a satisfying model from a winning strategy in the tableau game, which makes crucial use of 
the coherence conditions between the axiomatisation and the coalgebraic semantics. This 
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allows us to determine satisfiability of a fixpoint formula by deciding the associated (parity) 
tableau game, and the announced Exptime upper bound for guarded formulas follows once 
we can ensure that legality of moves in the tableau game can be decided in exponential 
time. 

Related Work. Our treatment is inspired by |17 }I261[M] . but we note some important 
differences. In contrast to [T7], we use parity games that directly correspond to tableaux, 
together with parity automata to detect bad traces. Moreover, owing to the generality of 
the coalgebraic framework, the model construction here needs to super-impose a coalgebra 
structure on the relation induced by a winning strategy. This construction is necessarily 
different from [23], since we cannot argue by induction on modal rank in the presence of 
fixpoints. Coalgebraic fixpoint logics are also treated in [26], where an automata theoretic 
characterisation of satisfiability is presented. We add to this picture by providing complexity 
results and a complete tableau calculus. Moreover, we use standard syntax for modal 
operators, which allows us to subsume for instance the graded //-calculus that cannot be 
expressed in terms of the V-operator used in op.cit. 

2. The Coalgebraic //-Calculus 

To keep our treatment fully parametric in the underlying (modal) logic, we define the 
syntax of the coalgebraic /i-calculus relative to a (fixed) modal similarity type, that is, a 
set A of modal operators with associated arities. Throughout, we fix a denumerable set V 
of propositional variables. We will only deal with formulas in negation normal form and 
abbreviate A = Cv 1 | *s? G A} and V = {p \ p G V}. The arity of ^ G A is the same as that 
of The set ^(A) of A-formulas is given by the grammar 

A, B ::=p \ A V B \ A AB \ V(Ax, . . . , A n ) | [ip.A \ up. A 

where p £ VuV, 'v' G A U A is n-ary and p does not occur in A in the last two clauses. The 
sets of free and bound variables of a formula are defined as usual, in particular p is bound in 
\ip. A and up. A. Negation ~ : J-~(A) — > T(A) is given inductively by p = p, A A B = A V B, 
^(^i, . . . , A n ) = V(Ai, . . . , A n ) and [ip. A = up.A\p := p] and the dual clauses for V and u. 
If S is a set of formulas, then the collection of formulas that arises by prefixing elements 
of S by one layer of modalities is denoted by (A U A)(S) = {^(Ai, . . . , A n ) \ G A U 
A n-ary, A%, . . . , A n G S}. A substitution is a mapping a : V — > /"(A) and Aa is the result 
of replacing all free occurrences of p € V in A by a (p). 

On the semantical side, parametricity is achieved by adopting coalgebraic semantics: 
formulas are interpreted over T-coalgebras, where T is an (unspecified) endofunctor on sets, 
and we recover the semantics of a large number of logics in the form of specific choices for 
T. To interpret the modal operators 9? € A, we require that T extends to a A-structure and 
comes with a predicate lifting, that is, a natural transformation of type [^] : 2 n — > 2 o T op 
for every n-ary modality *s? G A, where 2 : Set — > Set op is the contravariant powerset 
functor. In elementary terms, this amounts to assigning a set-indexed family of functions 
(Pjx ■ V{X) n ->■ V(TX)) Xe set to every n-ary modal operator V G A such that (Tf)- 1 o 
Pj x (A 1 ,...,A n ) = P} Y (f- 1 (A 1 ),...J- 1 (A n )) for all functions / : Y X. If 9 G 
A is n-ary, we put P\ X {A U . . . , A n ) = (TX) \ [V]x(X \ A u . . . , X \ A n ). We usually 
denote a structure by the endofunctor T and leave the definition of the predicate liftings 
implicit. A A-structure is monotone if, for all sets X we have that ['v'Jx^i, • • • ,A n ) C 
[QPJx (-Bi, • • • , B n ) whenever Ai C Bi for all i = 1, . . . , n. 
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In the coalgebraic approach, the role of frames is played by T-coalgebras, i.e. pairs 
(A, 7) where A is a set (of states) and 7 : X — > TX is a (transition) function. A T -model 
is a triple (X, 7, h) where (X, 7) is a T-coalgebra and h : V — > V(X) is a valuation of the 
propositional variables that we implicitly extend to V U V by putting h(p) = X \ h(p). For 
a monotone A-structure T and a T-model M = (X,j,h), the se£ {AJm of a formula 

j4 € J*"(A) w.r.t. M is given inductively by 

Mm = Kp) Ifip.AjM = LFP^f ) [^.A]m = GFP^f ) 

P(A U . . .,A n )j M = 7- 1 o PjxdA^M, lAn\ M ) 

where \SP{A^) and GFP(A* f ) are the least and greatest fixpoint of the monotone mapping 
Af : V{X) -> P(A) defined by A^(Z7) = {AJ M , where M' = (X,j,h') and fr'(g) = %) 
for q 7^ p and /i'(p) = C/. We write M, x \= A if a; S [^4] a/ to denote that ^4 is satisfied at 
x. A formula A € -7~~(A) is satisfiable w.r.t. a given A-structure T if there exists a T-model 
M such that {AJm 7^ 0- The mappings A^ 1 are indeed monotone in case of a monotone 
A-structure, which guarantees the existence of fixpoints. 

Example 2.1. 1. T-coalgebras (A, 7 : X ->• P(A)) for TA = P(A) are Kripke frames. 
If A = {□} for □ unary and □ = 0, -T(A) are the formulas of the modal //-calculus |14j . 
and the structure |D]x(^) = {V G V(X) \ V C U} gives its semantics. 

2. The syntax of the graded //-calculus [21] is given (modulo an index shift) by the 
similarity type A = {(n) | n > 0} where (n) = [n], and (n)A reads as 11 A holds in more than 
n successors". In contrast to op. cit. we interpret the graded //-calculus over multigraphs, 
i.e. coalgebras for the functor B 

B(A) = {/ : A -> N I supp(/) finite} 
where supp(/) = {x G A | f(x) ^ 0} is the support of /, that extends to a structure 
l(n)jx(U) = {/ G B(A) I /(») > ^ [/CI 

Note that this semantics differs from the Kripke semantics for both graded modal logic [10J 
and the graded /i-calculus. The change of the semantics is needed in order to fit graded 
modal logic into the coalgebraic framework, because in the standard semantics of graded 
modal logic we cannot interpret the modalities by natural transformations. Both types of 
semantics, however, induce the same satisfiability problem: image-finite Kripke frames are 
multigraphs where each edge has multiplicity one, and the unravelling of a multigraph can 
be turned into a Kripke frame by inserting the appropriate number of copies of each state. 
The transformations preserve satisfiability. The fact that the two types of semantics induce 
the same satisfiability problem makes use of the fact that the graded /i-calculus has the 
tree-model property (|21j): a formula of the graded //-calculus is satisfiable on some Kripke 
frame iff it is satisfiable on a tree of finitely bounded branching degree. Alternatively, the 
fact that the two satisfiability problems are equivalent can be also obtained from the results 
in this paper by showing that the tableau calculus for the graded /i-calculus is sound over 
the class of all Kripke frames. 

3. The probabilistic //-calculus arises from the similarity type A = {(p) | p E [0, 1] n Q} 
where (p) = [p\ and (p)(j) reads as "(/> holds with probability at least p in the next state". 
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The semantics of the probabilistic /U-calculus is given by the structure 

D(X) = {// : X -v [0, 1] | J2 M*) = !} l(p)ix(U) = {fi G D(X) | £ fi(x) > p} 

xex xeu 
where U C X and — indicates maps with finite support. Coalgebras for D are precisely 
image- finite Markov chains, and the finite model property of the coalgebraic ^-calculus that 
we establish later ensures that satisfiability is independent of image-finite semantics. 

4. Formulas of coalition logic over a finite set N of agents [18] arise via A = {[C] \ C C 
N}, and are interpreted over game frames, i.e. coalgebras for the functor 

G(X) = {(/, (Si) ieN ) | J] S t + 0, / : [] $ -> X} 

i£N ieN 

which is a class-valued functor, which however fits with the subsequent development. We 
think of Si as the set of strategies for agent % and / is an outcome function. The formula 
[C]A reads as "coalition C can achieve A", which is captured by the lifting 

l[C]lx(U) = {(f,(Si) ieN ) £ G(X) \ 3(s l ) ieC y(s i )^ N \cf((s l )ieN) £ U} 

for U C X. The induced coalgebraic semantics is precisely the standard semantics of 
coalition logic, ie., the formula [C]A holds at a state x if all agents i in the coalition C can 
choose a strategy Sj at x such that, for all possible strategy choices of agents in N \ C at 
position x, the play proceeds to a state x' that satisfies property A. 

5. Finally, the similarity type A = {□} of monotone modal logic [2] has a single unary □ 
(we write □ = <(>) and interpret the ensuing language over monotone neighbourhood frames, 
that is, coalgebras for the functor / structure 

M(X) = {Y C T{V{X)) | Y upwards closed} \U\x{U) = {Y £ M{X) \ U € Y} 

for U C X which recovers the standard semantics in a coalgebraic setting |12| . 
It is readily verified that all structures above are indeed monotone. 

3. The Model-Checking Game 

We start by characterising the satisfaction relation between states of a model and formu- 
las of the coalgebraic /x-calculus in terms of a two-player parity game that we call the 
model checking game. This characterisation will be the main technical tool for establishing 
soundness and completeness of an associated tableau calculus. 

The game that we are about to describe generalises |25t Theorem 1, Chapter 6] to 
the coalgebraic setting, and is a variant of the game used in [6]. We begin by fixing our 
terminology concerning parity games. 

A parity game played by 3 (Eloise) and V (Abelard) is a tuple Q = (Bg, By, E,£l) 
where B = B^ U By is the disjoint union of positions owned by 3 and V, respectively, 
E C B x B indicates the allowed moves, and Vt : B — > u is a (parity) map with fi- 
nite range. An infinite sequence (bo, &i, &2> • • • ) of positions is called bad if max{&; | k = 
for infinitely many i G uj} is odd. 

A play in Q is a finite or infinite sequence of positions (&0j b\, . . . ) with the property 
that (bi, bi + i) € E for all i, i.e. all moves are legal, and 6o is t ne initial position of the play. 
A full play is either infinite, or a finite play ending in a position b n where E[b n ] = {b € B \ 
(b n ,b) £ E} = 0, i.e. no more moves are possible. A finite play is lost by the player who 
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cannot move, and an infinite play (60, &i, • • • ) is lost by 3 (and won by V) iff (bo, 61, ... ) is 
bad. 

A strategy in Q for a player P G {3,V} is a partial function that maps all plays that 
end in a position b G Bp of P with E[b] 7^ to a position b' G B such that (6,6') G £7. 
Intuitively, a strategy determines a player's next move, depending on the history of the 
game in all positions where the player can move. Given a strategy s for player P in Q 
we say that a play (po, . . . , bi, . . . ) of is played according to s if for all proper prefixes 
60 • • • h of 7r with 6j G Pp we have s(&o • • • h) = A strategy for a player P G {3, V} is 
called history-free or positional if it only depends on the last position of a play. Formally, 
a history-free strategy for player P G {3, V} is a partial function s : Bp — 1 P such that s(6) 
is defined iff E[b] ^ 0, in which case (b, s(6)) £ E. A play (60, • • • ) is played according to 
s if = s(6j) for all i with 6j G Bp, and s is a winning strategy from position 6 G B if P 
wins all plays with initial position 6 that are played according to s. 

It is known that parity games are history-free determined [8j [16] and that winning 
regions can be decided in UP n co-UP [T3] , 

Theorem 3.1. [13] At every position b G P3 U Py a parity game Q = (Pg, Py, E,Cl) 
one of the players has a history-free winning strategy. Furthermore, for every b G P3 U Py ; 



/rom position b, where n, m and d are the size of B, E and the range of £1, respectively. 

We will now introduce the model checking game as a parity game. The model checking 
game is played on pairs (A, x) where A is a formula and x is a state, and (informally) V tries 
to demonstrate that x ^= A whereas 3 claims the opposite. The formulation of the game 
relies on formulas being clean (no variable occurs both free and bound, or is bound more 
than once) and guarded (bound variables only occur within the scope of modal operators). 
In the model checking game, we will only encounter a finite set of formulas, those that lie 
in the closure of the initial formula. The size of the closure will play a crucial role in our 
main complexity result because it yields an upper bound for the size of our tableau game 
that characterizes satisfiability of a formula. The formal definitions are as follows: 

Definition 3.2. A set V C J- (A) of formulas is closed if P G T whenever P is a subformula 
of some A G T and A\p := rip.A] G T if r/p.A G T, where r/ G {/x, The closure of T is the 
smallest closed set Cl(r) for which T C Cl(r). 

A formula A G .P(A) is guarded if, for all subformulas r/p.B of A, p only appears in the 
scope of a modal operator within P, and A is clean if the sets of free and bound variables 
of a formula are disjoint and if no two distinct occurrences of fixpoint operators in A bind 
the same variable. A finite set of formulas T is guarded if every element of T is guarded 
and r is clean if the formula AAer ^ ^ s c l ean - 

In the model checking game, the unfolding of fixpoint formulas gives rise to infinite plays, 
and we have to ensure that all infinite plays that cycle on an outermost ^-variable are 
lost by 3 (who claims that the formula(s) under consideration are satisfied), as this would 
correspond to the infinite unfolding of a least fixpoint. This is where the parity map comes 
in: formulas of the form fip.A are assigned odd priorities and, dually, vA.p an even priority. 
To make sure that 3 only looses those plays that cycle on the unfolding of an outermost 
//-variable, we require that the assignment of priorities is compatible with the subformula 
ordering. 




which player has a winning strategy 
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Definition 3.3. A parity map for a finite, clean set of formulas T is a function Q : C1(T) — > lo 
with finite range for which £l(A) = unless A is of the form r/p.B, rj G {/j>, u}, £l(A) is odd 
(even) iff A is of the form fip.B (vp.B), and Cl(rjipi.Bi) < ^(172^2-62) whenever rjipi.Bi is 
a subformula of r/2P2-B2, where 771 , 772 G {/J>, v}. 

It is easy to see that every clean set of formulas admits a parity function. 

Lemma 3.4. IfTC T(A) is finite and clean, then T admits a parity function whose range 
is bounded by the cardinality o/Cl(T). 

Proof. By induction on the well-founded ordering generated by 

r, A < T, A iff A £ A C subf (A) 

where subf (A) denotes the subformulas of A. If V contains a top-level conjunction, disjunc- 
tion or propositional variable, then the claim follows by induction hypothesis. Now suppose 
that r = fip.A, r'. By induction hypothesis, we obtain a parity function £1' : Cl(A, T') — > u 
that we may extend to a parity function : C1(T) — >■ oj by putting 

m B = np.A 
tt(B) = \fl'(B) B€Cl(A,r) 
otherwise 



where m is odd and m > fl'(B) for all B G C\(A, V). The case T 
in a similar fashion. 



up. A, V can be treated 
□ 



Given a parity function, we can define the following parity game, the winning regions 
of which characterise satisfiability. We parametrise the model checking game in a set of 
formulas which will enable us to use it to prove soundness and completeness of the tableau 
calculus (which operates on sets of formulas) that we introduce later. 

Definition 3.5. Suppose that M = (X,j,h) is a T-model, T C .F(A) is finite, clean and 
guarded, and fi is a parity map for T. The model checking game MGr(M) is the parity 
game whose positions and admissible moves are given in the following table, 



Position: b 


Player 


Admissible moves: E[b] 


(P,x),x G h(p) 




V 







(p,x),x h(p) 




3 







(r)p.A(p),x) for rj £ {/i, 


^} 


3 


{(A\p = r)p.A(p)],x)} 




{A 1 VA 2 ,x) 




3 


{(A 1 ,x),(A 2 ,x)} 




(Ai A A 2 ,x) 




V 


{(A 1 ,x),(A 2 ,x)} 




(^>(A 1 ,...,A n ),x) 




3 


{(V(A 1 ,...,A n ),(U 1 ,...,U n )) \ 










U!,...,U n C A, 7 (x) G PjxiUu. 


■ , U n )} 


(Q?(A!,...,A n ), ([/!,... 


,U n )) 


V 


{(Ai,x) 1 < i < n,x € Ui} 





where p <G V U V, V G A U A, A, A±, . . . , A n G Cl(r) are A-formulas, x G X are states and 
Ui C X are state sets. The parity function of M.Qy{M) is given by Q'(A,x) = Q(A) for 
A G Cl(r) and x G X, and = otherwise. 

It is easy to see that any two parity functions for a given set of formulas induce the same 
winning region for both players. We therefore speak of the model checking game given 
by a set of formulas. Evidently, the model checking game is an extension of the boolean 
satisfiability game with fixpoints and modal operators. When the game reaches a fixpoint 
formula, that is, a position of type (rjp.A, x), this fixpoint is simply unfolded, and its nature 
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(least or greatest fixpoint) and nesting depth of the formula fixpoint formula is recorded 
by the parity function. To show that a state x satisfies a modal formula V(Ai, . . . ,A n ), 3 
needs to select sets Ui, . . . , U n (that we think of as a subset of the truth sets of the A^s) so 
that the state x is being mapped by 7 into the lifting of U\, . . . , U n . Subsequently, V may 
challenge this choice and select an index 1 < i < n and require that 3 demonstrates that 
the formula A{ is satisfied at an aribitrary element of Ui (and thus corroborate that we may 
think of Ui as the truth set of A{). To prove that the model checking game characterises 
satisfiability, we make crucial use of monotonicity, as the Ui under-approximate the truth 
sets of the Ai. The announced generalisation of |25|, Theorem 1, Chapter 6] now takes the 
following form: 

Theorem 3.6. For V finite, clean and guarded, a T -model M = (X, 7, h), A € C1(T) and 

x £ X, 3 has a winning strategy in MQr(M) from position (A,x) iff M,x \= A. 

Proof. The proof is by induction on A, and similar to the proof of adequacy of the game 
semantics for the coalgebraic /i-calculus [261 Theorem 1]. It should be noted that the 
model-checking game in loc. cit. has slightly diferent moves in positions that correspond 
to fixpoint formulas: in a position of the form (np.A(p),x), the only available choice is to 
move to (A(p),x), and if a position of the form (p,y) is reached later, then the only option 
is to move to (A(p),y). However, one can show that both ways of treating fixpoint formulas 
in the model-checking game are equivalent. We only treat the case A = *\)(Ai, . . . , A n ); all 
others are as in loc. cit. . 

First suppose that M,x \= ^?(Ai, . . . ,A n ). By induction hypothesis, 3 has a winning 
strategy from position (A, x') if and only if M, x' \= A for all subformulas A of {A±, . . . , A n }. 
These winning strategies can be extended to provide a winning strategy from V(Ai, . . . , A n ) 
by stipulating that 3 move to (V(Ai, . . . , A n ), ({AiJm, • • • 1 [^Jm)- Now assume that 3 
has a winning strategy from position (ty(Ai, . . . , A n ),x) in MGr(M) under which 3 moves 
to position (^(Ai, . . . , A n ), (U\, . . . ,U n )) from position . . . , A n ), x). By induction 

hypothesis, we have that Xi \= Ai for all Xi G Ui so that Ui C [LAjJm and hence 7(2;) € 
[<?]([Ai] M) • • • , \Mm) by monotonicity of {V] whence x \= V(At, ...,A n ). □ 

4. Tableaux for the coalgebraic /u-calculus 

In this section, we characterise satisfiability in terms of non-existence of closed tableaux. 
Given that our approach is parametric both in the model class over which we interpret 
formulas (embodied by the endofunctor) and the modal operators (given by the similarity 
type) that we use, our tableau system will be parametric in a set of modal tableau rules. Our 
tableaux will be constructed by applying the standard rules for deconstructing propositional 
connectives, the modal rules that are supplied as a parameter, and unfolding of fixpoints. 
To ensure soundness and completeness of the ensuing calculus, we need to ensure two 
properties: 

(1) the supplied set of modal rules has to describe the model class in a sound and complete 
way 

(2) topmost least fixpoints are only unfolded finitely often. 

For the first property, we introduce coherence conditions between the proof rules and the 
semantics that will guarantee completeness. For the second property, we need to consider 
traces of formulas along the paths of the tableau and again use a parity function to determine 
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whether outermost fis are unfolded only finitely often. As the unfolding of fixpoints may 
create infinite branches, we conceptualise a tableau as a graph. A closed tableau is then 
constructed according to the given rules so that outermost least fixpoints are unfolded 
infinitely many times along any path through the tableau. 

We begin by describing the coherence conditions that will guarantee soundness and 
completeness of the modal rules. These rules describe the relationship between states and 
(coalgebraic) successors, are of a particularly simple form, and are formulated in terms of 
sequents. 

Definition 4.1. A A-tableau sequent, or just sequent, is a finite set of A-formulas. We write 
S(A) for the set of A-sequents. If V G S(A) we write S(T) = {A G S(A) | A C Cl(r)} for 
the set of sequents over the closure of T. 

We identify a formula A G ^(A) with the singleton set {^4}, and write T; A = T U A for 
the union of V, A G S(A) as before. Substitution extends to sequents via Ta = {Aa \ A G T}. 
A monotone one-step tableau rule for a similarity type A is of the form 

r 

ri ... r„ 

where To G (A U A)(V) and T±, . . . , F n C V for some set V C V of propositional variables, 
every propositional variable occurs at most once in Tq and all variables occurring in one of 
the rys (i > 0) also occur in IV 

Monotone tableau rules do not contain negated propositional variables, which are not needed 
to axiomatise (the class of models induced by) monotone A structures. The restriction 
on occurrences of propositional variables is unproblematic, as variables that occur in a 
conclusion but not in the premise and multiple occurrences of variables in the premise 
can always be eliminated. The set of one-step tableau rules is the only parameter in the 
construction of tableaux for coalgebraic fixpoint logics. The coherence conditions relate rule 
sets with the interpretation of modal operators purely on the level of properties of states 
(subsets of a set X) and properties of successors (subsets of TX). 

Definition 4.2. Let V C V be a set of propositional variables. The interpretation of a 
propositional sequent T Q V L) V with respect to a set X and a valuation r : V — >■ V(X) is 
given by [T]x,t = f]{ T {p) I V G T}, and the interpretation [r]yx,r ^ TX of a modalised 
sequent V C (A U A)(V) is 

PW = f){Mx(rfa), r( Pn )) | <?(p l5 . . . ,p n ) G T}. 

If T is a A-structure, then a set R of monotone tableau rules for A is one-step tableau complete 
(resp. sound) with respect to T if [TJtx.t ^ if (only if) for all Tq/Ti, . . . ,T n G R and 
all o~ '. V — y V with Tga C T, there exists 1 < i < n such that [rjcr]x,T / 0, whenever 
r C (AU A)(V) and r : V -»■ V{X). 

Informally speaking, a set R of one-step tableau rules is one-step tableau complete if a 
modalised sequent V is satisfiable whenever a rule that matches V has a satisfiable conclusion. 
Some care has to be taken to ensure monotonicity of one-step rules in concrete examples, 
in particular for the graded and the probabilistic ^-calculus. In order to obtain monotone 
rules for these logics, we need to insist that rule conclusions only contain prime implicants 
to avoid non-monotone occurrences of propositional variables. This ensures that we avoid 
a (non- monotone) conclusion consisting of e.g. T;p and T;p. 
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Definition 4.3. Suppose 7 is a finite (index) set. A prime implicant of a boolean function 
/ : {0, l} 1 — )■ {0, 1} is a partial valuation p : I — {0, 1} with minimal domain of definition so 
that / evaluates to 1 under all total extensions of p. Given a family (pj)jgj of propositional 
variables, every partial valuation p : I — ^ {0, 1} (and hence every prime implicant) induces 
a sequent 

r P = fa | p(i) = i} u {p t | = o}. 

Now consider fc € Z, a family (rj)jgj of integers and a family (pi)i£i of propositional 
variables over the same index set. For I = Iq U I±, we let 

rjj)j + rjp7 < k = {r p | p prime implicant of /} 

for the set of sequents induced by the prime implicants of the boolean function / : {0, l} 1 — s> 
{0, 1} defined by f(v) = 1 ^ ^ei ^ « + Eie^ ^(1 - «(*)) < k. 

In other words, the set of prime implicants of a boolean function corresponds to the 
reduced disjunctive normal form of the associated propositional formula. The notation 
Yli r iPi < ^ introduced above allows us to read a linear inequality involving propositional 
variables as a set of sequents (that we will later use as the conclusion of a one-step rule). 
If we think of the propositional variables pi as denoting subsets Ui of some set X, then 
the set of all points x € X that satisfy the inequality l{/ i (x) < A; is precisely the set of 
points that satisfies the induced collection of sequents. (We write Ijj : X — > {0, 1} for the 
characteristic function of a subset [/CI). For one-step rules formulated in terms of linear 
inequalities, we need this property to establish completeness. 

Lemma 4.4. Suppose X is a set and r : V — > V(X) is a valuation of propositional variables. 
Then x satisfies one of the elements of J2 ieIo riPi + ^2 ieh npi < k iff YJieh r i^T(pi)( x ) + 

Eie/i r i 1 A\r(p,)( :r ) < k - Tflat is > 
Y r * 1 r(p I )( X ) + Y r * 1 X\r(p l )( X ) <k ^ X£ {J{{rj { x, T ) | r € Yl r iPi + Y < ^ 

/or aZZ x € X, whenever n, . . . , r n , k £ Z. 

Proof. First suppose that x € U{I r ](x,r) I T € Eie/ r ^ + Eie/i < Tnen tnere ex ~ 
ists a prime implicant p : / — 1 {0, 1} of the function / given by f(v) = 1 Eie7 r « t, (*) + 

Ezg/ r *(l ~~ v (i)) < ^ sucn th & t x e FpI(Xt)- Then the function c : 7o U A — >• {0, 1} given 
by 

1 if x G T(pj) and i £ Io 
c(i) := < 1 if x ^ r(pj) and i & I\ 
otherwise. 

extends p and therefore /(c) = 1 whence 

ie/o 

Now suppose that Eie/ Ti ^-T(pi)( x ) + Eieix r «lx\r(pi)( x ) < k and consider the valuation 

1 if x e r(pi),i € I Q 
v(i) = ^ 1 if x r(pi),i <G I\ 
otherwise. 
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We have that f(v) = 1 and therefore obtain a prime implicant p : I — {0, 1} of / such that 
v extends p and x € [r p ](x, r )- D 

This finishes our discussion of prime implicants and we are ready to have a look at several 
examples. We use the following one-step rules to axiomatise the model classes introduced 
in Example 12.11 

Example 4.5. (1) The (standard) modal logic of Kripke frames is axiomatised by all the 
instances of 

(7l') ^ Po;Dpi; "' ;DpTl 
p ;pi; ...;p n 

where n > 0. 

(2) the set of one-step rules associated with graded modal logic (and the graded //-calculus, 
interpreted over finitely branching multigraphs) can be axiomatised by the rule schema 

, r \ (ki)Pi; ■ ■ ■ ; (k n )Pn m , fajgij • • • ; Pmjgm 

where m, n > and r^, Sj € N \ {0} and Yl2=i r «(^« + 1) > 1 + Ej=i s j^'- 

(3) The set of rules associated to the probabilistic /u-calculus comprises all instances of 

(ai)pi; . . . ; (a n )p n ; [&i] 



J m\Hm 



EJLi s ^ - E?=i r ^ < fc 

where m,n > 0, r,,Sj £ N \ {0} and Er=i r « a « ~~ YlJLi s jbj < A; if n > and 
— Ej=i s j^i < A; if n = 0. 
(4) For coalition logic, we have all instances of 

, [Ci]pi;...;[Cn]Pn > [Ci]pi; . . . ; [C n )p n ; [£]<?; Mn; • • . ; [iV>m 

t G u — ~ 1 i°2j 



Pi;--.;p n ~ p 1 ;...;p n ;q;r 1 ;...;r m 

where again m,n > 0. Both rules are subject to the side condition that the Cj are 
disjoint. For (C2) we moreover require C O. 
(5) Finally, the rule set associated to monotone modal logic contains the single rule 

(M)3^. 
p;q 

In the rule schemas (G) and (P), we note that Ei r « a « < & is a set of (prepositional) 
sequents, and therefore qualifies as the conclusion of a tableau rule. To ensure monotonicity, 
we have to ensure that no literal appears negatively. This is a direct consequence of the 
following: 

Lemma 4.6. Suppose thatp is a prime implicant of the boolean function f : {0, 1}^ — > {0, 1} 

given by f(v) = 1 iff ^2 i£ jriVi < k, where (rj)j g / is a sequence of nonzero integers. Then 
p(i) = 1 or undefined whenever Vi < and analogously, p(i) = or undefined whenever 
ri > 0. In particular, all instances of (G) and (P) are monotone. 

Proof. We only demonstrate the first item, the second is analogous. Suppose, for a con- 
tradiction, that p{i) = and < 0. Then, removing i from the domain of definition of p 
yields a function q : I — ^ {0, 1} such that all total extensions e of q still satisfy /(e) = 1, 
contradicting the minimality of p. □ 
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It is easy to see that every A-structure admits a one-step sound and complete set of 
one-step tableau rules. While this demonstrates that our approach is applicable to all 
conceivable A-structures, the challenge of finding a tractable representation of the rule set 
remains, which is crucial for a complexity analysis. An adaptation of \22\ Theorem 17] to 
the setting of monotone tableau rules shows that one-step complete rule sets always exist. 

Proposition 4.7. Every monotone A-structure admits a one-step tableau sound and one- 
step tableau complete set of monotone tableau rules. 

Proof. Suppose that T is a monotone A-structure. We show that there exists a set R of 
monotone tableau rules so that R is one-step tableau sound and one-step tableau complete 
for T, essentially by showing that the set of all monotone one-step sound rules is indeed 
one-step complete. We let R consist of all monotone tableau rules Tq/Ti, . . . ,T n that satisfy 

[Tik.r = • • • = [r„]x,r = [r ]TA> = 

for all sets X and valuations r : V — > V(X). We claim that R is one-step tableau sound 
and one-step tableau complete. 

First, for one-step tableau soundness, suppose that r : V — > V{X) is given and 
{rj TX ,r + for some T C (A U A)(V). For r /Ti, . . . , T n G R and a renaming a : V -»• V 
such that Tocr C T, we have to show that [rj<r]x,r 7^ for some 1 < i < n. Assume, 
for a contradiction, that |Tj<T]]x,T = for all 1 < i < n. Then, for r'(p) = r(cr(p)) we 
have [rj]j T / = for all 1 < i < n so that [ro<r]TX,T = [ro]rx t' = 0> contradicting 
[r a] T x,r 5 IT}tx,t + 

For one-step tableau completeness, we directly show the contrapositive. Assume that 
[T]tx,t = f° r some set X and some valuation r : V — > V(X). We show that, in this case, 
there exists Tq/Ti ■ ■ ■ > T n G R and a : V — > V such that T^a C T and [FjO"]x,r = 0- 

So suppose that [T]tx,t = an d consider the set 

S = {A C V r | [Alx.r = 0} 

where Vr denotes the set of propositional variables occurring in T. If we let S = {T\ , . . . , r n }, 
it suffices to show that T/Ti, . . . ,T n G R. So suppose p : V — >• is a valuation such 

that [rijy, p = • • • = [T n j Y , p = 0. We show that [r] T y iP = 0. To this effect, we claim that 
there exists a function / : Y — > X such that y £ p(p) f(y) € r(p) for all p G Vr. For 

if not, there exists y G y for which a suitable /(y) cannot be found, i.e. for all x G X we 
may find p x G Vr such that x £ t(j> x ) but y G p(p x )- For the sequent A = {p^ | x G X} 
we then obtain [A]x, T = whence A G S but y G [A]y iP , contradicting [Fj]y jP = for all 
i = 1, . . . , n. 

By construction, the function / satisfies p(p) C f~ l {r{p)) for all p G Vr, which gives, 
by monotonicity of the A-structure T, that 

\t\ty, p c [rWj-w = (r/) _1 ([r]rx,r) = 

as required, where the second equality is by naturality of predicate liftings. □ 

In the examples, we can find concrete (and tractable) representations of one-step complete 
rule sets. 

Proposition 4.8. The rule sets introduced in Example \4 ■ 5\ are both one-step tableau sound 
and one-step tableau complete with respect to the corresponding structures defined in Exam- 
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Proof. It is straightforward to see that a set of monotone rules is one-step tableau complete 
iff the set of proof rules arising by negating and swapping premise and conclusion is one-step 
sound and strictly one-step complete in the sense of [23] , where soundness and completeness 
is established for the dual rule sets. The case of graded and probabilistic modal logic 
additionally requires to invoke Lemma 14.41 together with Lemma 3.18 of op. cit. □ 

We now introduce the set of tableau rules that we are using to axiomatise the coalgebraic 
//-calculus. As to be expected, these rules are parametric in a set of one-step rules, and 
we will instantiate our results to the logics introduced in Example 12.11 with help of the 
previous proposition. Along with the tableau rules, we also introduce rule blueprints and 
rule representations that will aid us in the definition of paths through a tableau later on. 

Definition 4.9. The set TR of tableau rules induced by a set R of one-step rules contains 
the propositional and fixpoint rules, the modal rules (m) and the axiom (rule) below: 

T^AAB T;A\/B T; np.A T a, A , T,A,A 

A V) (f )—— T m — Ax 

L;A;B l;A 1 ; B 1 ; A[p := r]p.A\ l 1 <r...l n <7 

Here Tq/Ti . . . T n G R and a : V — > T(A) is a substitution satisfying tJ(r ) = $(Tocr) where 
)J denotes cardinality. The formulas AAB, AV B and rjp.A are called principal in the rules 
(A), (V) and (f). A rule blueprint is of the form AAB, Ay B, rjp.A, (A, A) or (r, a), where 
r G R and a : Vq — > /"(A) is a substitution satisfying ij(To) = H(ToO") and Vq C V is the 
set of variables occurring in r. We write B(R) for the set of rule blueprints over the set 
R of one-step rules. A rule representation is a tuple (I\b) where T G S(A) and b is a rule 
blueprint that satisfies 

• b G T if b is of the form A A B, A V B or r/p.A 

• A,A(£Tii b = (A, A) 

• Too" C T if b = (r, a) and r = Tq/Ti . . . T n . 

Each rule representation (T, b) induces a tableau rule p(T, b) G TR given by 
p(T,A/\B) = —^— P (T,AVB) ' 



A,B,T' rv ' A,T> B, r 

r r 

p(T, np.A) = — — — p(T, (r, a)) 



A\p := V p.A],T' rv ' v ' " Y x a...Y n a 

r 



p(T,(A,A)) = 

where V = T \ {b} in the first three clauses, and r = Tq/Ti • • • T n in the fourth clause. 

The restriction ft (To cr) = $(Tq) on instances of one-step rules ensures that the substitu- 
tion does not identify literals in the premise of a one-step rule, which implies that only 
finitely many modal rules are applicable to any sequent. Similarly, because of the restric- 
tion f}(Tocr) = tt(ro) on substitutions and on the size of the domain of such substitutions 
in rule representations, it is also easy to see that for any T G S(A) the set of rule repre- 
sentations (r, b) is finite. This will enable us to deduce decidability, and indeed complexity 
bounds later. We will, however, need to require that the set of modal rules is contraction 
closed in order to ensure completeness of the restricted calculus. 

Remark 4.10. Alternatively, we could also prove soundness and completeness for the 
tableau calculus without the restriction $(Toa) = §(To) and without requiring contraction 
closure for the set of modal rules. In this case, in order to obtain decidability, we would have 
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to require contraction-closedness of the modal rules. This is essential for proving that we can 
restrict the calculus to (finitely many) instances (r, a) of modal rules with non-identifying 
substitutions a. 

Our definition of rule blueprints and rule representations may seem a bit bureaucratic 
at first sight, so some comments are in order. If we understand a tableau as a two-player 
game where V plays a tableau rule and 3 selects a conclusion, the winning condition for 3 
stipulates that least fixpoints are not unfolded infinitely often. This condition is formalised 
in terms of the evolution of formulas along a path in a tableau, which in turn necessitates 
that we can re-construct the rules applied to tableau nodes. This is achieved by annotating 
each tableau node with a rule blueprint. Together with the node label, the blueprint forms 
a rule representation which in turn induces a rule. We use this mechanism for two reasons: 

• for propositional rules and the fixpoint rule, the rule blueprint records the principal 
formula, that we need to track to define traces later. Moreover, we can distinguish 
between the different conclusions of the induced rule, and 

• for modal rules, the rule blueprint is an unsubstituted one-step rule, which allows us to 
track (unsubstituted) propositional variables, which is again needed for the definition of 
traces. 

The usefulness of the blueprints and rule representations will become clearer in Defini- 
tion 14.121 where we define the set of traces through a tableau path. We are now ready to 
introduce the notion of tableau that we will use throughout the paper. As fixpoint rules 
generate infinite paths, we formalise tableaux as finite, rooted graphs. As a consequence, 
closed tableaux are finitely represented proofs of the unsatisfiability of the root formula. 

Definition 4.11. A tableau for a clean, guarded sequent T € S(A) is a finite, directed, 
rooted and labelled graph (N, K, R, £, a) where N is the set of nodes, K C N x N is the 
set of edges, R is the root node and I : N — > S(T) is a labelling function such that £(R) = T 
and a : N £>(R) is a partial function (that we think of as an annotation) satisfying 

• a(n) is defined iff there exists a tableau rule with premise £(n) iff K (n) ^ 0. 

• if ryrx . . . r n = p(£(n), a(n)) then {r x , . . . , r n } = {£(n') | ri € K(n)} 
where K(n) = {n' | (ra, n') € K} and p is as in Definition 14.91 

In other words, tableaux are sequent-labelled graphs where a rule has to be applied 
at a node if the node label matches a rule premise, and no rule may be applied otherwise. 
The purpose of the annotation a is to record which rule (if any) has been applied at a 
particular node. To keep track of whether least fixpoints are unfolded infinitely often, we 
record the unsubstituted one-step rule (together with a substitution) at modal nodes, as we 
need to track the evolution of formulas along one-step rules, where propositional variables 
may become identified by a substitution. Moreover, it may be the case that two different 
one-step rules generate the same rule instance: both rules ^p/p and Wp, Vq/p generate the 
instance VA/A. As we will be required to traverse infinite loops in a tableaux to ensure 
that only greatest fixponits are unfolded infinitely often, we need to ensure that the identity 
of a rule does not change when nodes are encountered multiple times. 

The reader might wonder why we make a distinction between nodes in a tableau and 
their labels. The technical reason for this is that we need to run an automaton in parallel 
to the tableau, so that the same sequent may be associated with different automata states 
(see the definition of the tableau game in Section [5]). Informally speaking, we have to allow 
for enough paths through a tableau to ensure completeness. We can view a tableau as 
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a strategy of V in this tableau game, where V tries to prove that a given sequent is not 
satisfiable. Accordingly, a closed tableau will correspond to a winning strategy for him in 
the tableau game. An identification of nodes and sequents in a tableau would mean that the 
corresponding strategy of V in the tableau game would only depend on the set of formulas 
with which a position of V is labeled. We cannot guarantee, however, that V has a winning 
strategy of this special kind, even if he has some winning strategy. Therefore, in order to 
be able to represent arbitrary strategies of V in the tableau game as tableaux, we have to 
have the possibility to distinguish between nodes and their labels. The only restriction we 
make is that the tableau graph is finite, i.e. we only consider strategies of V with bounded 
memory. 

Our goal is to show that a formula A € J- (A.) is satisfiable iff no tableau for A ever closes. 
In a setting without fixpoints, a tableau is closed iff all leaves are labelled with axioms. Here 
we also need to consider infinite paths, and ensure that only greatest fixpoints are unfolded 
infinitely often at the top level of an infinite path. As in [17], this necessitates to consider 
the set of traces through a given tableau. Informally, a trace records the evolution (by 
application of tableau rules) of a single formula through a tableau. Formally, we associate 
binary relations with tableau rules, and traces arise by sequencing these relations. 

Definition 4.12. Suppose that T = (N,K,R,£,a) is a tableau for T. A path through T is 
a finite or infinite sequence 

n 2 . . . 

where no = R, ni + x £ K(rii) and q £ N satisfying that £(rii+x) is the Q-th conclusion of 
the rule represented by (£(rii), a(rtj)). A path is called complete if it is infinite or if it ends 
at a node n £ N with K [n] = 0. 

A trace through a path tt is a finite or infinite sequence of formulas (Aq , A\ , . . . ) such 
that Ai € lirii) and (Ai,Ai+i) € Tr(£(m),a(rii),Ci) where the relations Tr(T,b,i) C J"(A) x 
J- (A.) are given as follows: 

• Tr(r, A 1 A A 2 , 1) = {(Ax A A 2 , Ax), (Ax A A 2 , A 2 )} U Diag(r \ {A A B}) 

• Tr(r, A x V A 2 , i) = {(Ax V A 2 , Ai)} U Diag(r \ {Ax V A 2 }) for i = 1, 2. 

• Jr(T,r]p.A, 1) = {(r]p.A,A[p := f]p.A})} U Diag(T \ {r]p.A}) 

• Tr(T, (r,a),i) = {(V(px, ■ ■ ■ ,p n )cr,Pj<r) I V(pi,---,Pn) G ^o,Pj G 
where r = Tq/Tx ■ ■ ■ T n . 

Here Diag(A) = {(x,x) | x € X} is the diagonal on a set X. The triples (T, \>,i) where 
(r, b) is a rule representation, i G N and p(T, b), the rule represented by (r, b), has at least 
i conclusions, are called trace tiles. Finally, a tableau T with root node labelled by T is 
closed, if the end node of all finite paths through T of maximal length that starts in the 
root node is labelled with a tableau axiom, and every infinite path starting in the root node 
carries at least one bad trace with respect to a parity function for T. 

Informally, a path through a tableau is a sequence of nodes, together with the information 
which rule has been applied to nodes, and we cannot have a path that ends in a node to 
which (Ax) was applied. As for the construction of tableaux, the construction of traces 
requires that we pick the same conclusion every time a node is traversed. While in the 
instance A V B,A,B/A,B of (V), both conclusions are identified, they are not equivalent 
from the point of view of traces, as the 'left' conclusion continues the trace from A V B to 
A whereas the right conclusion continues the same trace to B. This difficulty does not arise 
in [T7] where tableaux are formalised as sibling-ordered trees, and the rule blueprints used 
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here serve essentially the same purpose. The traces through a path are calculated using 
the so-called trace tiles. A trace tile records which rule has been applied in a node that is 
visited by the path and through which of the successors of the node that path is continuing. 
It should be noted that for T G S(A) the set 

S r = {(A, b, i) | (A, b, i) is a trace tile and A G S(T)} 

is finite because, as remarked after Definition 14.91 for each A G S(T) there are only finitely 
many rule representations (T,b). We stress this fact, because later on we will use Sr as 
alphabet of the parity automaton that is essential for the definition of our tableau game. 

Example 4.13. Assume that we have a tableau where (V) has been applied at the node 
labelled with A\/ fip.B; C and (f) has been applied at the node labelled with pp.()B; C. (We 
identify nodes and their labels here for simplicity.) Then the path 

A V fip.B; C fip.QB; C §B[p := fip.B}; C ... 

supports the traces (A V pp.()B, fip.()B, ()B[p := fip.B], . . . ) and (C, C, C, . . . ). Note that 
there is no trace on this path that starts with A. 

We now continue the development of the general theory and first establish soundness of the 
tableau calculus: satisfiable sequents cannot have closed tableaux. This relies on Theorem 
13.61 as a winning strategy for 3 in the model checking game can be used to construct a path 
through any tableau that carries a bad trace. 

Theorem 4.14. Let R be a one-step tableau complete set of monotone rules for the modal 
similarity type A, and let T G S(A) be clean and guarded. IfT is satisfiable in some model 
M = (A, 7, h), then no closed tableau for T exists. 

Proof. Consider a model M = (X,j,h) and x G X such that M,x \= T and let T = 
(N,K,R,£,a) be a tableau for T. As M,x \= T, Theorem 13.61 implies that 3 has a history- 
free winning strategy g in AAQ-p = AiQr(M) from all positions (B,x) of the game board 
with B G r. We now establish that there exists a complete path and an associated se- 
quence of model states satisfying the formulas on this path that can be contracted to a 
play in the model checking game. More precisely, we establish the existence of a path 
7r = uqCqUiCi . . . n[C[ . . . through T and a sequence x = ^o^i ■ ■ ■ X[ . . . of states that satisfy 

(i) no = R and xq = x and M,Xi \= £(ni) whenever rn is defined, 

(ii) for each trace r = B$B\ . . . B\ . . . through tt there exists a play (Aq, yo)(Ai, y{) . . . 
(where we do not record the positions that have subsets of the model as second com- 
ponent) that is played according to g and there is an increasing sequence = sq < 
si < . . . of indices such that B Sl B S2 ■ ■ ■ = AqAi . . . and yoyi ■ ■ ■ = x SQ x Sl . . . where 
Bi = B Sj and Xi = x Sj whenever sj <i < Sj+i. 

Once this claim is established, it follows that T cannot be closed: consider the path tt just 
constructed. If tt is finite, the label A of the last node of ir cannot be a tableau axiom, 
as A is satisfiable by construction. In case it is infinite, every trace r through tt induces a 
A^r-play that is played according to El's winning strategy g which implies that r is not 
bad. Taken together, this shows that T cannot be closed, so it remains to establish the 
claim. 

We construct the required path tt and the sequence x of states in a step-by-step fashion, 
starting at the root of the tableau and at the state x, i.e. we put uq = R and xq = x. So 
suppose that a path tt = uqCq . . . Cj-inj and a sequence of model states xq . . . Xj satisfying 
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and (Jn|) above have already been constructed, and tt is not yet complete. We distinguish 
cases on the rule r = p(£(rij), a(rij)) applied at (the last) node rij. 

We begin with the case where r = A;Di V D2I A\D\ A;Z?2 is an instance of the 
disjunction rule. In this case, we can find tableau nodes mi and mi with £{m\) = A,D± 
and lirni) = A,Z?2 arid K(rij) D {toi,TO2}. Suppose that g{D\ V D2,Xj) = (D; L ,Xj) 
for i G {1,2}. We put Cj = i, %+i = rrii and Xj + \ = Xj. Then the extended path 
tt' = ircjrij + i and xqXi . . . XjXj + ± satisfy condition ([!]) of our claim. Obviously we have 
xj + i \= A. Furthermore, Xj + \ \= Di as {Di,Xj + \) is a winning position of 3 in A4Qr- 
Thus, as £(rij + i) = A;Z)j, we have Xj + \ (= i{rij + i) as required. To see that (jn]) also holds, 
consider a trace t' = Bo... BjBj + \ through tt' and let P = (Ao, yo)(A\, y{) . . . (Bj^y^) be 
the partial play of M.Qy that is associated to t = Bo ... Bj and that is played according 
to g. If Bj / D] V L>2 w e have Bj = Bj + \ and P can be chosen as the corresponding 
A^r-play for t'. Otherwise, if Bj = D\ V D2, we have Bj + \ = Di and we extend P to 
(Ao,yo)(Ax,y 1 ) . . . (D 1 V D 2 ,y k ){Di,y k+1 ) with = y k . This 7Wt? r -play now satisfies 
condition (jn]) of our claim. 

The cases where r is an instance of the conjunction or fixpoint rules are similar (even 
easier, as these rules only have one conclusion). So suppose that r is an instance of a modal 
rule. That is, r = p(£(rij),a(rij)) with a(rij) = (r,a) for some rule A/Ai,--- , A s with 
Act C i{rij) and K{rij) ^ {mi, . . . , m s } with £(rrii) = Aj<r for i € {1, . . . , s}. We define 
a valuation r : Va — > V(X) on the set Va of variables occurring in A by stipulating that 
r(p) = Uk where the (unique) occurrence of p = p k is in the formula "v^pi, . . . ,p r ) £ A and 
g(D,Xj) = (D, (Ui, . . . , U r )) with D = ( ^(a(pi), . . . ,a(p r )). As g is winning for 3 in A4Gr 
at position (D',Xj) for all D' G Ac, it follows that j(xj) € [A]tx t1 which implies that 
[A]tx,t^0- 

By one-step tableau completeness, [Aj]x, r 7^ for some i G {1, . . . , s}. We now extend 
tt to a path tt' = Trrrii and let Xj + \ be an arbitrary element of [Aj]x,r- Now consider a 
trace t' through tt' that ends in some formula A with A = a (pa) for some pa € Aj. Then, 
by Definition I4.12( t' is of the form tA where r is a trace through tt ending in a formula of 
the form B = ^?(pi, . . . ,p n )o-, ^(pi, ■ ■ ■ ,Pn) £ A, and pa = Pk for some k € {1, . . . ,n}. 

By assumption, there exists a corresponding 7W(?r-play, played according to g, that 
ends in position (V(pi, . . . ,p n )a,Xj). This play can now be extended by 3 moving to 
giPipii ■ ■ ■ -iPn)^-, Xj) = (S?(pi, ■ ■ ■ ,Pn)&i (U%, . . . U n )). We extend this play letting V move 
to (A,Xj+i). The latter move is legitimate as a(pk) = A and because Xj + \ G [Aj]x,T = 
HpeAi t (p) — T (.Pk) S {t/i, . . . , J7 n }. It remains to note that for every formula A' G Aj there 
exists a trace through tt' that ends in A', and therefore also a possibly partial A^t/r-play 
according to 3's winning strategy g ending at (A',Xj+\). This implies that for all A' G Aj, 
(A',Xj+\) is a winning position for 3 in A4Gr, and hence M,xj+i \= A' for all A' G Aj. 
This finishes the proof of the claim and hence that of the theorem. □ 

Example 4.15. Consider the following formula of the coalitional ^-calculus 

[C)vX.(p ApVjX) A [D]fiY.(p V [£>]y) 

stating that "coalition C can achieve that, from the next stage onwards, p holds irrespec- 
tive of the strategies used by other agents, and coalition D can ensure (through suitable 
strategies used in the long term) that p holds after some finite number of steps" . Here, we 
assume that C,D C N are such that C D D = 0. Define a parity map for the above 
formula by Q(vX.(p A \N]X)) = 2, n(fiY.(pV [D]Y)) = 1 and n(A) = otherwise. The 
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unsatisfiability of this formula is witnessed by the following closed tableau: 

[C]B A [D]A 
[C]B- [D]A 

B^A < 

p A [N]B ; A 
pA[N]B;p\/[D]A 
_ p;\N]B;pV[D]A_ 
P-, [N]B;p p;[N]B;[D]A^ 

where B = uX.(p A [TVjX), A = pY.(p V [-D]V) and where we omitted the annotation 
a because in this case a can be easily deduced from the structure of the tableau. For 
example, the annotation for the root node is equal to [C]B A [D]A and for the child of the 
root the annotation is equal to ( ^p'^ ;' 7 ) where a : {p, q} — > {A, B} is a substitution with 
a{p) = B and a(q) = A. 

Any finite path through this tableau ends in an axiom, and the only infinite path 
contains the trace 

[C]B A [D]A, [D]A, A, A,pV[D]A,pV[D]A, [D]A, A 

where the overlined sequence is repeated ad infinitum. This trace is bad with respect to f2, 
as Q(A) = 1 and A is the only fixpoint formula that occurrs infinitely often. 

5. The Tableau Game 

We now introduce the tableau game associated to a clean and guarded sequent T, and use 
it to characterise the (non-)existence of closed tableaux in terms of winning strategies in 
the tableau game. For the entire section, we fix a modal similarity type A and a set R of 
monotone tableau rules that is both one-step sound and complete. The idea underlying the 
tableau game is that V intends to construct a closed tableau for a given set of formulas T, 
while 3 wants to demonstrate that any tableau constructed by V contains a path it that 
violates the closedness condition. As infinite plays of the tableau game correspond to paths 
through a tableau, an infinite play should be won by 3 if it does not carry a bad trace, 
that is, outermost least fixpoints are only unfolded finitely often. To be able to see this 
tableau game as a parity game, we therefore need a mechanism to detect bad traces, and 
we employ parity word automata for this task. Board positions in the ensuing tableau 
game will therefore be sequent / automata state pairs, with the priority of a board position 
being determined by the parity function of the automaton. In particular, this will ensure 
that winning strategies of 3 in the tableau game do not generate bad traces. We start 
our discussion of the tableau game by recalling some basic notions concerning parity word 
automata. 

Definition 5.1. Let £ be a finite alphabet. A non- deterministic parity T,-word automaton 
is a quadruple A = (Q, aj , 5 : Q x S — > V(Q), fi) where Q is the set of states of A, ai £ Q 
is the initial state, 6 is the transition function, and Q, : Q — > ui is a (parity) function. Given 
an infinite word 7 = C0C1C2C3 . . . over S, a run of A on 7 is a sequence p = a$aia2 ■ ■ ■ £ Q w 
such that ao = a/ and for all i £ u we have Oj+i G 6(ai, q). A run p is accepting if p is not a 
bad sequence with respect to Q. We say that A accepts an infinite S-word 7 if there exists 
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an accepting run p of A on 7. Finally we call A deterministic if 5(a, c) is a one-element set 
for all (a, c) G Q x £. 

In other words, a parity word automaton is deterministic if its transition function has type 
Q x £ — > Q. To develop the tableau game, we use parity word automata over trace tiles 
(cf. Definition I4.12p to detect the existence of bad traces through infinite plays. We now 
establish the existence of such automata, together with a bound on both the state set and 
the range of the parity function. 

Lemma and Definition 5.2. Let T G S(A) be a clean, guarded sequent, and let £r denote 
the set of trace tiles (A,b,i) with A G S(T). There exists a deterministic parity Sr-word 
automaton Ap = {Qr, ar,o~r, O') such that Ap accepts an infinite sequence (to, t\, . . . ) 6 
of trace tiles iff there is no sequence of formulas {Aq, A\, . . . ) with (Ai, ^4j+i) G Tr(ij) which 
is a bad trace with respect to a parity function for T. Moreover, the index of A and the 
cardinality of Q are bounded by p(|Cl(T)|) and I Ci(r) | ) f or a polynomial p, respectively. 
Such an automaton A is called a I" '-parity automaton. 

Proof. We start by constructing a non-deterministic parity automaton that accepts w = 
totit2 ... G Sp iff w does contain a sequence AqAi . . . G C1(T) w that is bad w.r.t. Q and 
satisfies (Ai,Ai + i) G Tr(ij) for all i G N. We put Q' = C1(T) U {aj} where we assume that 
a/ i Cl(r) and define 5' : Q' x £ r -> P(Q') by <5'(a/,i) = LU e r Tr (*)(^) ^ C1 ( r ) an d 
«5'(£,t) = Tr(t)(B) for B G C1(A) and t G S r . If we put 0"(aj) = and = 0(5) + 1 

where O is a parity function for T, the automaton A' = (Q' ,aj,S' ,0") accepts a word 
w if w does contain a bad trace starting in some B £ T. We now transform A' into an 
equivalent deterministic parity automaton A^ by means of the Safra construction to obtain 
an automaton of size 2°( Tlfclog ( Tlfc )) whose parity function has a range of order 0(nk) where 
n = \Q'\ + 1 and k is the cardinality of the range of Q (cf. \19\ I20|). The automaton Ap 
is then obtained by complementing A^ which can be done by changing the parity function, 
and neither increases the size nor the index of the automaton. This implies the claim as 
the cardinality k of the range of is bounded by the size n of the state set n of the initial 
automaton. □ 

We thus arrive at the following notion of tableau game, where T-parity automata are used 
to detect bad traces. 

Definition 5.3. Let T £ S(A) be clean and guarded, and let A = (Q, ar, 5, 0) be a T-parity 
automaton. We denote the set of tableau rules Tq/Ti, . . . , T n G TR for which Tq G S(r) by 
TRr and write B(T) for the set of rule blueprints b such that 

• b G Cl(r) if b G J'(A) and A G Cl(r) if b = (A, A) 

• T a G S(r) if b = (r,a) and r = T /T l ...T n . 

The T-tableau game is the parity game Qy = (B^, By, E,£l') where By = S(T) x Q, B^ = 
S(r) x B(T) x Q and the relation E C By x B^ U B^ x By that defines the allowed moves 
is given by (61, 62) £ E if either 

• 61 = (A, a) G i?v> ^2 = (A, b, a) and (A, b) is a rule representation 

• 61 = (A,b,a), 62 = (A', a') and there exists i G N such that A' is the i-th conclusion of 
the rule represented by (A, b) and a' = 5(a, (A, b, i)). 

The parity function Q' : (B^ U By) — > u of Qr is given by 0'(A, a) = fl(a) if (A, a) G By 
and 0'(A,b,a) = 0. 
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If not explicitly stated otherwise, we will only consider £?r-plays that start at (T, ar) 
where ar is the initial state of the automaton A. In particular, we say that a player has a 
winning strategy in Qr if (s)he has a winning strategy in Qr at position (T, ar). 

The easier part of the correspondence between satisfiability and winning strategies in 
Qr is proved by constructing a closed tableau based on a winning strategy for V. To show 
that this tableau is indeed closed, we need to show that every infinite path carries at least 
one bad trace, which follows from the fact that V wins in the tableau game. To make this 
formal, we consider a notion of path and trace also relative to plays in the tableau game. 

Definition 5.4. For a C/r-play 

vr = (r°, ao)(r°, b , aoXrSaiXT 1 , bi,ai) . . . (r ; , a,)(r', h, ai ) . . . 

a sequence n' = r°cor 1 ci . . . F l ci ... of sequents and natural numbers is an underlying path 
of 7T if U = (P,bj,Cj) is a trace tile and 5(ai,ti) = aj+i for all i G N. A sequence of 
formulas a = AqA\Az ■ ■ ■ G J-{K)°° is a trace through n if there exists an underlying path 
vr' = rOcoI^cir 2 . . . of vr such that (A h A i+1 ) G Tr(P, b;, a) for all i G N. 

An underlying path of a £/r-play is very similar to the notion of a tableau path. This is 
due to the correspondence between tableaux and strategies of V in the tableau game. This 
correspondence is crucial in the proof of the following theorem. 

Theorem 5.5. Let F G S(A) be clean and guarded. //V has a winning strategy in Qr, then 
F has a closed JR-tableau. 

Proof. Suppose that V has a winning strategy / in Qr at position (F, ar). As Qr is a parity 
game we can assume that V's strategy is history-free, i.e. it can be encoded as a partial 
function / : S(T) x Q — ^ S(T) x B(F) x Q. In order to prove the claim we are going to 
define a closed tableau T = (N, K, R, £, a) for F. We define N to be the set of positions in 
S(T) x Q for which / is a winning strategy (in particular, this entails that / is defined at 
all positions in N). Obviously we have (T, ar) G N and we put R = (F,ar). The labelling 
function on iV is the first projection map, i.e. £(A, a) = A for all (A, a) G N C S(T) x Q. 

For all (A, a) G N the set of X-successors is defined using V's strategy by putting 
K(A, a) = {(A', a') | (A', a') G E(f(A,a))} where E(f(A,a)) is the set of possible moves 
of 3 at /(A, a). Finally we define the annotation a of T by putting a(A, a) = ^(/(A, a)) 
where 1T2 : S(T) x B(F) x Q — >■ B(F) denotes the second projection map. 

It is an easy consequence of the definition of the tableau game that T is a well-defined 
tableau. We now show that T is a closed tableau. To this aim consider first a finite complete 
path 7T = (F ,a )c (F 1 ,ai)ci ■ ■ ■ Cn-i(F n ,a n ) through T with (r ,a ) = (r,a r ). This gives 
rise to a £?r-play of the form 

(r ,ao)(ro,bo,ao)(ri,ai)(ri,bi,ai)(r 2 ,a2) . . . (F n ,a n ) 

that is played according to V's winning strategy /. In order to see this, note that for all 
< i < n we have (Tj+i, aj+i) G E(f(Fi,ai)), i.e. (Fi + i,ai + \) is a legal answer to V's move 
at (Tj, ai) if V is playing according to his strategy /. Since tt was assumed to be complete, 
and since V has a winning strategy at the last position (F n , a n ) of the corresponding C/r-play, 
it follows that 3 cannot move in the position obtained by V playing according to his strategy 
at (r n ,a n ). This can only be the case if V moves to (F n , (A, A),a n ) at (F n ,a n ) for some 
A G ^"(A), which in turn is only possible if F n is a tableau axiom. 

Consider now an infinite path ir = (Fq, ao)co(Fi, ai)ci(r2, 02) • • ■ through T starting 
with (ro,ao) = (r, ar). As in the previous case, this induces an infinite C/r-play P of the 
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form 

P = (r ,ao)(ro,bo,ao)(ri,ai)(ri,bi,ai)(r 2 ,a2) • • • (r„,a n ) . . . 
that is played according to V's winning strategy /. By the definition of the game board of 
Qy, this means that the infinite sequence p = ao<xia 2 . . . G can be seen as a run of Ar on 

w = (T , b , cq)(Ti, bi, ci)(r 2 , b 2 , c 2 ) . . . G Sp. 

By assumption / was winning for V and therefore P does not satisfy the parity condition 
Q' of £/r- This implies that p = araia 2 • • • G Q w does not fulfil the parity condition Q of 
the automaton Ap. In other words, as p is the run of Ap on to, there must be a sequence 
/3 = B Q B X B 2 ... £ Cl(r) w such that (B h B i+1 ) G Tr(I\, b i; Cj) that is bad w.r.t. IX In other 
words, /3 is also a trace through the path tt, which implies that there exists a trace through 
7r that is bad w.r.t. f2 as required. This finishes the proof that T is closed. □ 

The converse of the above theorem is established later as Theorem 15.181 The challenge 
there is to construct a model for T based on a winning strategy for 3 in the T-tableau game. 
As we only allow substitution instances of modal (one-step) rules that do not duplicate 
literals (we require that substitutions do not decrease the cardinality of premises in one- 
step rules in Definition 14. 9p . we need to require that the set of tableau rules to be closed 
under contraction. 

Definition 5.6. A set R of monotone one-step rules is closed under contraction, if for all 
rules To/Ti, . . . , T n € R and all a : V — > V, there exists a rule Ao/Ai, . . . , A& G R and a 
renaming r : V — > V such that At = Br for A,B€ Aq implies that A = B, Aqt C T^a 
and, for each 1 < i < n, there exists 1 < j < k such that TjCJ C AjT. 

In other words, instances of one-step rules which duplicate literals in the premise may be 
replaced by instances for which this is not the case. 

Remark 5.7. Every monotone A-structure admits a one-step tableau sound and one-step 
tableau complete set of monotone tableau rules that is closed under contraction. This follows 
from the fact that the set of one-step rules from the proof of Proposition 14.71 is closed under 
contraction: Consider a rule Tq/Ti, . . . ,T n G R and any renaming a. Then, by the definition 
of the set of one-step rules R in Prop. 14.71 we can easily show that Ao/Ai, . . . , A n G R 
with Aj = Tjcr for i = 0, . . . , n. Closure under contraction follows from the fact that 
Ao/Ai, . . . , A n together with r = idy satisfy the conditions of Definition 15.61 

Under the condition of closure under contraction (cf. Remark 14. 10|) . we prove: 

Theorem 5.8. Suppose that T G S(A) is clean and guarded and R is one-step tableau 
complete and contraction closed. If 3 has a winning strategy in Qy, then T is satisfiable in 
a model of size 

0(2pW) where n is the cardinality of Cl(r) and p is a polynomial. 

The proof of Theorem 15.81 constructs a model for T out of the game board of Qy 
using a winning strategy / for 3 in Qy- We use one-step tableau completeness to impose 
a T-coalgebra structure on those V-positions in Qy that are reachable through /-conform 
t/r-plays, with the resulting coalgebra satisfying the truth lemma. We then equip this 
T-coalgebra with a valuation that makes V satisfiable in the resulting model. While our 
construction shares some similarities with the shallow model construction of [24], it is by 
no means a simple adaptation of op. cit., as we are dealing with fixpoint formulas and thus 
cannot employ induction over the modal rank of formulas to construct satisfying models. 
Our proof of satisfiability is also substantially different from the corresponding proof for the 
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modal /i-calculus (cf. [17]) - we show satisfiability by directly deriving a winning strategy 
for 3 in the model-checking game from a winning strategy of 3 in the tableau game. 

We now turn to the details of the proof of Theorem 15.81 Throughout the proof, we 
assume that T G S(A) is a clean, guarded sequent and / : S(T) x B(T) x Q — ^ S(T) x Q is 
a history- free winning strategy for 3 in Qy- The construction of a supporting Kripke frame 
for a model of T is based on V-positions of Gr where only modal rules can be applied. This 
is formalised through the notion of atomic sequent. 

Definition 5.9. A A-formula is atomic if it is either a propositional variable p G V, a ne- 
gated propositional variable p G V, or a formula of the form V(Ai, . . . , A n ) or ^(Ai, . . . , A n ). 
A sequent A G S(A) is atomic if all its elements are atomic. We write At(T) for the set of 
atomic sequents in S(T), and call a ^r-position (A, a) G By atomic if A is atomic. 

The state set of the satisfying model that we are about to construct are the atomic im- 
positions (A, a) that are reachable from (T,ar) through £/r-play that is played according to 
/. As the propositional rules are invertible, we may assume that V applies them in any fixed, 
given order. This simplifies the model construction as it implies - together with 3's strategy 
- that every sequent is unfolded to an atomic sequent in a unique way. Fixing the order in 
which V applies propositional rules can be seen as a strategy, that we call propositional: 

Definition 5.10. A propositional strategy for V in the tableau game Gr is a function 

g:S(T)\At(T)^B(T) 

such that (A, <?(A)) is a rule representation for all A G S(T) \ At(r). A Q^-play is played 
according to g if V moves at any position of the form (A, a) G (S(r) \ At(T)) x Q that occurs 
in the play to the position (A, <?(A), a). 

For the remainder of this section we fix a propositional strategy g for V. As annonced 
informally in the beginning, this dictates that plays proceed to atomic positions in a unique 
way, and in fact induces a function from arbitrary positions to atomic ones in the tableau 
game. 

Lemma and Definition 5.11. Let / be a strategy for 3 in Qy- For any position (A, a) G 
S(r) x Q there exists precisely one position (A', a') G At(r) x Q and one partial (?r-play 

(A,a),--- ,(A',a') 

that is played according to / and g and which does not contain an instance of a modal rule. 
We let a/ : S(r) x Q -> At(r) x Q be the function given by er/(A,a) = (A', a'). 

For the construction of a satisfying model for T we are going to define a relation on the 
set of atomic positions of Qy where two atomic positions are related if the second position 
is selected by 3's strategy in response to V playing a modal rule. In the case of Kripke 
frames, this relation would already define the satisfying model, but in the general case, we 
need to impose a coalgebra structure on top of this relation in a coherent way. To achieve 
this, we single out specific states (the ^-successors) that we take as under-approximation of 
the semantics of a formula A. Informally speaking, an ^4-successor of an atomic state arises 
by V playing a modal rule, and 3 selecting a conclusion containing A that is then reduced 
to another atomic position. Formally, we introduce the notions of A-children (conclusions 
selected by 3 that contain A) and ^4-successors (reductions of A-children to atomic form), 
both relative to a strategy for 3. 
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Definition 5.12. Suppose that / is a history-free strategy of 3 in Qr, and let (A, a) G 
At(r). A position (A', a') G S(T) x Q is an A-child of (A, a) along / if A G A' and 
(A', a') = /(A, b, a) where ((A, a), (A, b, a)) is a legal move of V in Qr- We put 

Chld/(A, A, a) = {(A', a) G S(r) x Q \ (A', a') A-child of (A, a) along /} 

and write Chld/(A,a) for the collection of all A-children of (A, a) along /. An atomic 
position (A", a") is an A-successor of (A, a) along / if (A", a") = o/(A',a') for some A- 
child (A', a') of (A, a) along /. This is denoted by 

Suc/(A, A, a) = {(A", a") G At(r) x Q \ {A", a") A-successor of (A, a) along / } 

and we write Suc/(A,a) = LUeCi(r) Sue/ (A, A, a) for the collection of all A-successors of 
(A, a). 

In other words, an atomic position (A", a") is a successor of (A, a) if it is reachable 
from (A, a) by a play that is played according to 3's strategy / and the (fixed) propositional 
strategy g that involves precisely one modal rule. The position (A", a") is an A-successor 
of (A, a) if the conclusion of this modal rule that is picked by / contains the formula A. 
This allows us to introduce coherent coalgebra structures, i.e. those structures on atomic 
positions that satisfy the truth lemma. 

Definition 5.13. Suppose that / is a history-free strategy for 3 in Qr and let 

Y = {(A, a) G At(r) x Q \ a f (T, ai ) ^* (A, a)} 

where for (A, a), (A', a') G At(T) x Q, (A, a) -> (A', a') if (A', a') G Suc/(A, a). A coalgebra 
structure 7 : Y — > TY on Y is called coherent if 

7 (A,a) G [<?]y(Suc/(A 1 ,A,a),...,Suc / (A n ,A,a)) 

whenever V(Ax, . . . , A n ) G A. A valuation h : V — > V(Y) is coherent if (A, a) G h(p) 
whenever p G A. 

In other words, the carrier of a coherent coalgebra is the set of atomic positions that are 
reachable from the initial position via 3's strategy /, and the coalgebra structure is so that 
we can establish the truth lemma, together with monotonicity of the modal operators: the 
A-successors of an atomic position contain an element of the disjunctive normal form of A 
and hence serve as an under-approximation of the truth-set of A. We note that a position 
cannot be both an A-successor and an A-successor of the same position. 

Lemma 5.14. Let f be a history-free winning strategy for 3 in Qr and let (Ai,ai) and 
(A2,a2) be atomic Q-^-positions such that f is a winning strategy for 3 at (Ai,ai). Then 
for all formulas A we have 

(A2, 02) G Suc/(A, Ai, ai) implies that (A2, 02) ^ Suc/(A, Ai, a±). 

Proof. Suppose for a contradiction that (A2,a2) G Suc/(A, Ai, a\) as well as (A2,a2) £ 
Suc/(A, Ai, ai) for some formula A. Then, by the definition of Sue/, there must exist (A', a') 
and (A", a") in S(T) x Q such that A G A', A G A" and ct/(A', a') = a f (A", a") = (A 2 , a 2 ). 
A straightforward induction argument shows that in this case there must exist a formula B 
such that B,B G A2. Therefore (A2,a2) is a winning position for V. But this contradicts 
the fact that there exists a <?r-play from (Ai, a±) to (A2, 02) played according to /, and our 
assumption that / is winning at (Ai,ai). □ 
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We now show that if 3 has a winning strategy / in the tableau game for T, then a coherent 
model for T exists. This is where contraction closure is needed as the application of modal 
rules may not identify elements in the premise of a rule. 

Proposition 5.15. Every history-free winning strategy f : S(T) x B(T) x Q S(T) x Q 
for 3 in Qr induces a coherent model (Y, 7, h) . 

Proof. We follow Definition ETJ and put Y = {(A, a) G At(T) | ff/(T,oj) ^* (A, a)} where 
— )• is as in the definition, and we define a coherent valuation h : V — > y by = {(A, a) € 
y I p 6 A}. It remains to be seen that we can define 7 : Y — > TY coherently. It is a 
consequence of Lemma 15.141 and of the fact that / is a winning strategy for 3 in that for 
all (Ax, ai), (A2, 02) G Y we have 

(A 2 , a 2 ) G Suc/(A, Ai,ai) implies (A 2) a 2 ) ^ Sucf(A, Ai, ai). (5.1) 

Now suppose for a contradiction that there is no 7 : V — > TY such that (Y, 7) is a coherent 
coalgebra structure for T. Then there exists some (A, a) G Y such that we cannot find a 
t G TY that satisfies the condition in Definition 15.131 Consider the set of formulas 

e = {V(p Al ,. ■ ■ ,paJ I <?(4i, . . . , A,) e A} 

u {% 1) ...,p,J|^ 1 ,...A)6A} ^ 

where for any formulas of the form ^(Ai, . . . , A n ) or ^(Ai, . . . ,A n ) in A we associate a 
unique propositional variable pa 4 to the formula Ai, for i G {1,... , n}. Let Ve be the set 
of propositional variables occurring in ©. We define a valuation t : Vq —> P(Suc/(A, a)) by 
putting r(pyi) = Suc/(A, A, a). 

Using our assumption on (A, a) it is not difficult to see that [QlTSuc^A.a^T = 0- There- 
fore one-step tableau completeness implies that there exists a rule Tq/Ti ■ ■ ■ T n and a sub- 
stitution o~ \ V — y V such that T^a C 6 and l^iO'}suc f (A,a),T = f° r an * S {lj • • • i n }- 
Because of contraction closure of R we can assume w.l.o.g. that §(Tq(t) = $(Tq). 

On the other hand, for r] : V® — > J- (A.) with tj(j)a) = A, we clearly have T^ar/ C A 
with ftiToar]) = ft (To), and thus V can move in the tableau game from position (A, a) 
to the position (A, (T0/T1 ■ ■ ■ T n , 77 o a), a). Now 3 moves to some (Tjarj,a") with j € 
{1, . . . , n} according to her winning strategy /. Therefore we have (Tjarj, a") € Chldj(A, a). 
Furthermore, the play can be continued according to 3's strategy / until the atomic position 
(A', a') = af (Tjarj, a") is reached. By definition we have 

(A', a') G Suc f (Bri, A, a) for all B e Tjcr. (5.3) 

It now follows that (A', a') G [-B]suc/(A,a),r f° r an B £ ^j a - To see this, consider an 
arbitrary formula B G Tja. By the definition of G and the fact that Toa C Q we have that 
Tjcr consists of atoms only. Therefore B = pa for some formula A. By (|5.3p . we know that 
(A', a') G Sucj(pa^, A, a) = Sucj(A, A, a), and therefore (A', a') G [-B]suc / (A,a),r- As 5 
was an arbitrary element of Tja we obtain (A', a') G [-B]sucy(A,a),T fo r an ^ ^ Tj-cr, which 
contradicts the fact that {Tja}suc f (A,a),T = 0- This concludes the proof. □ 

We can now take a history-free winning strategy / for 3 in the tableau game and show that 
the induced coherent model Y satisfies the initial sequent. This is achieved by converting 
the strategy / (in the tableau game) to a strategy / in the model checking game over Y. 
Satisfiability then follows as soon as we establish that AdQ^-plays that are played according 
to / correspond to traces through ^r-plays that are played according to /. 
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Lemma 5.16. Let f be a history-free winning strategy for 3 in Qr, let Y = (Y,7, h) be 
the coherent model induced by f, and consider a position (Ao,(Ao,ao)) in MQ-pi^i) with 
(Ao,ao) = o-f(T,ai) and Aq G Aq. Then 3 has a strategy f in MGrO?) a ^ (A)) (Ao, ao)) 
such that for any (possibly infinite) sequence (Aq, (Aq, ao))(^4i, (Ai, a±)) . . . (A n , (A n , a n )) . . . 
that can be extended to an f -conform A4QrO^)-play by inserting positions of the form 
(V(Bi, . . .,B n ), (Ui, ... , U n )) we have 

(1) there exists a (possibly infinite) Op-play tt and a trace t = Bq, B±, . . . , B r , . . . through tt 
( cf. Def. \5.4\ ), such that 

(a) tt contains a sub-sequence of V -positions of the form 

(A' ,a' ),(A' 1 ,a' 1 ),...,(A , n ,a > n ),... 

with af(A' i ,a' i ) = (Aj,aj) and A^ B Ai for each i>0 

(b) r is contractable to Aq,A\, . . . ,A n , . . . , that is, there exists an increasing sequence 
= so < s\ < . . . of indices such that AqA\ . . . = B SQ B Sl . . ., where B{ = B Sj 
whenever Sj < i < Sj + i, for j = 0, 1, — 

(2) for all MGrO^) -positions °f ^ e form (A, (A, a)) occurring in tt, with A atomic, we 
have A G A. 

Proof. We define the strategy / for 3 in MQp(Y) starting at position (A ,(A ,ao)) by 
showing how to extend each partial, /-conform 7W(?r(Y)-play starting in (Aq, (Ao,ao)) and 
ending in an 3-position b = (B, (A, a)) with a position b', such that (6, b') is a valid move for 
3 in MQr(Y). We will show later that each such partial play determines a partial <5r-play 
starting in (Ao,ao) and ending in some (A', a') G S(r) x Q with Of(A',a') = (A, a) and 
A' 3 B. At this point, we assume the above, and base our definition of 3's strategy solely 
on (B, (A, a)) and (A', a'). We define 3's move in (B, (A, a)) by case analysis on B: 
Case B = B\V B2: Then aj(A' , a') = (A, a) together with A' 3 B ensure the existence of 
a C/r-play of the form 

(To; do)(T , bo, d ) . . . (T k-i,^k-i, dk-i)(T k, dk) 

with (T , d ) = (A', a'), Tj At(T) for < j < k and (T k ,d k ) = (A, a), that is played 
according to / and g, such that bj = B\ V B2 for some < j < k. Let Toco . . . Ck-\T k 
be an underlying path of the above C/r-play- Then, Cj € {1,2}, and we define 3's move 
at position (B, (A, a)) of MGrO?) to be to the position (B Cj , (A, a)). Moreover, we note 
for future reference that the tableau node (Tj+\, ti/+i) satisfies af(Tj + i,dj + i) = (A, a) 
and r j+ i 3 B Cj . 

Case B = V(Bi, . . .,B n ): We define 3's move at position (B, (A, a)) of MQt(Y) to be to 
the position (B, (U\, . . . , U n )) with 

Uj = SuCf(Bj, A, a) 

for j = 1, . . . , n. To justify this move, we must show that 7(A, a) G \$\y (Ui, ■ ■ ■ , U n ). 

But this follows from Definition 15.131 
This defines a strategy for 3 as there is no choice for 3 at all other positions (B, (A, a)) in 
MGrO?)- Now consider a (possibly infinite) A / K?r(Y)-play of the form 

(Ao, (A , a )), (At, (A 1 ,a 1 )), (A n , (A n , a n )), . . . 

played according to the previously defined strategy. We shall construct a ^r-play tt and 
an underlying path tt' of tt with an associated trace r, with the required properties. In 



26 



C. CiRSTEA, C. KUPKE, AND D. PATTINSON 



particular, the construction of ir will supply a sequence of t/r-positions (A' , a' ), (A' l5 a[), . . . 
to be used in denning El's moves. 

To begin with, note that by assumption on (Aq, (Ao,ao)) we have aj(T,ar) = (Ao,ao) 
and Aq G T. Hence, we let (A' ,a' ) = (T,ar) be the first position of it, let T be the first 
position of tt', and let To = Aq G V. 

Now assume that tt, tt' and r have been constructed up to a position (A^,a-), with 
af(A' i ,a' i ) = (Aj,cij) and A^ 9 Aj. We extend the partial Q^-play tt with a segment 
starting in (A^, a-) and ending in some (A- +1 , a- +1 ), with cr/(A- +1 , a- +1 ) = (A i+ i,a i+ i) and 
A' i+l 9 A i+1 . Here (A i+i,ai+i) represents the position obtained as a result of 3 moving in 
(Aj, Oj), based on the additional information provided by (A^, a'A, according to the strategy 
defined earlier. At the same time, we extend the underlying path tt' of ir with a segment 
A^ . . . A' i+l , and the trace r with a segment Ai,. . . ,A{, Aj + i. These constructions are carried 
out by case analysis on Aj. 

Case Ai = Aj V Af: Here, the A4<?r(Y)-move from (Aj, (A^a,)) to (Aj+i, (A i+ i,a i+ i)) is 
an 3-move played according to the strategy defined earlier. The definition of this move 
was based on a t/r-play of the form 

(To, do)(r , bo, do) . . . (Tk-i, bfc_i,dfc_i)(rfe, d k ) 

with (r ,d ) = (A-,a-), At(T) for < I < k and (T k ,d k ) = (A^a,), played accord- 
ing to / and <7, with an underlying path Toco . . . c k -\T k , such that there exists < j < k 
with (Ai,Ai) G Tr(rj,bj,q) for < I < j and (Aj,A^) G Tr(r,, b,-, Cj). Moreover, this 
definition guarantees that we have af(Tj + i, dj + \) = (Aj+i, dj+i) = (Aj, aj). We now put 
(A' i+1 ,a' i+1 ) = (T j+1 ,d j+1 ), and extend the play tt to (r ,b ,d ) . . . (T j ,\> j ,d j )(T j+1 ,d j+1 ), 
the underlying path tt' with cq . . . CjTj + i, and the trace r with Ai, . . . , Aj, A^ 1 . 
Case Ai = Aj Ai-: This time, the move from (Aj, (Aj, aj)) to (Aj + i, (Aj+i, aj+i)) is a 
V-move, with Aj + i = A\ for some I £ {1,2} and (Aj + i,aj + i) = (Aj,aj). Since Aj G A^ 
and cr/(A^, a£) = (Aj, aj), it follows that there exist a £?r-play of the form 

(To, d )(T , b , d ) . . . (r fe _i, b^-i, dfc_i)(r fc , d&) 

with (r , d ) = (A{,a{), At(T) for < / < k and (T k ,d k ) = (Aj,Oj), played 
according to / and g, such that bj = Aj AAf for some < j < k, and an underlying path 
Toco . . . Cfc_iTfc of this (7r-play that satisfies (Aj, Aj) G Tr(r\, b^, c/J for < h < j and 
(Ai,A[) G Tr(Tj, A} A Af, Cj). From the latter we obtain I = Cj. We then let (A- +1 , a' i+1 ) 
be given by (T j+1 ,d j+1 ), and note that a f (A' i+1 , a' i+1 ) = (A i+ i,a i+ i) = (Aj,aj) and 
A' i+1 = Tj+i 3 A^ = A\ = Aj + i. It is therefore possible for us to extend the play 
tt with the sequence (To, bo, do) . . . (Tj, bj, dj)(Tj+i, dj + \), the underlying path tt' with 
Co . . . CjTj + i, and the trace r with Aj, . . . , Aj, A\. 
Case Aj = ^)(B\, . . . , B n ): The move from (Aj, (Aj, aj)) to (Aj+i, (Aj + i, aj+i)) thus incor- 
porates an 3-move played according to the strategy defined earlier, followed by a V-move. 
Again, from Aj G A^ and <r/(A^,a^) = (Aj,aj) we obtain a C/r-play of the form 

(To, d )(r , b , d ) . . . (r fc _i, b fe _i, d k -i)(T k , d k ) 

with (r ,d ) = (A^,Oj), Ti At(r) for < I < k and (T k ,d k ) = (Aj,aj), played ac- 
cording to / and g, that has an underlying path Toco ■ ■ ■ c k -iT k such that (Aj,Aj) G 
Tr(Tj,\>j,Cj) for < j < k. Also, by definition of El's move in (Ai, (Ai, ai)) we ob- 
tain Aj + i = Bj and (Aj + i,Oj + i) G Suc/(i?j, Aj, aj) for some j G {1, . . . ,n}. It follows 
that there exists a position (A", a") such that (A", a") G Chld/(Aj, aj), Bj G A" and 
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a f (A",a") = (A i+ i,a i+1 ). We then let (A' i+1 , a' i+l ) be given by (A", a"). Moreover, 
from (A' i+1 ,a' i+1 ) £ Chld/(Aj,aj) it follows that V can move in Qy from (Aj, ai) to some 
(Aj, b, ai) with /(Aj, b, aj) = (A- +1 , a- +1 ). Since 3's move at position (Aj, b, aj) was legal, 
this now yields c £ N such that A^ +1 is the c-th conclusion of the rule represented by 
(Aj,b). This together with Bj £ A' i+1 yield (Ai,Bj) £ Tr(Aj,b,c). It is now possible to 
extend the play tt with 

(To, b , do) • • • (rfc_i,b A: _i,4_i)(r fc ,4)(Aj,b,aj)(A. +1 ,a- +1 ) , 

the underlying path tt' with cq . . . Ck-iT \cA' i+1 , and the trace r with Aj, . . . , Ai, Bj. 
Case Ai = nX.A, r\ £ {^i, v}: The move from (Aj, (Aj, ai)) to (Aj+i, (Aj + i,Oj + i)) consists 
of unfolding the fixpoint variable X, that is, Aj+i = A[X := 77X.A] and (Aj + i,aj+i) = 
(Aj,aj). Again, A[ 3 rjX.A together with af(A' i ,a' i ) = (Aj,aj) yield a £?r-play of the 
form 

(To, do)To, t»o, c?o) • • • (Tfc-i, bfc_i, <ifc_i)(rfc, dfc) 
with (To, d ) = (AJX), At(r) for < I < k and (r fc ,4) = (A;, a;), played 
according to / and g, such that \>j = r/X.A for some < j < k, and an underlying path 
Toco . . . Cfc-iTfc of this C/r-play that satisfies (Ai, Ai) € Tr(Th, b^, Ch) for < h < j and 
(Ai,Ai + i) £ Tr(Tj,bj,Cj). We now let (A' i+1 ,a' i+1 ) be given by (Tj+i, dj+i), and note 
that (jf(A' i+1 , a' i+l ) = (Aj + i,ai + i) = (Aj,ai) and A^ +1 3 A[X := 7]X.A\. It is therefore 
possible to extend the play ir with To, bo, do) • • • (T?, k?> djXTj+i, 4/+i), the underlying 
path tt' with Co . . . CjTj + \, and the trace r with Aj, . . . , Ai,A[X := 
To show the second property of the A4£/r(Y)-play 

(A , (A , a )), (Ai, (Ai, ai)), . . . , (A n , (A n , a„)), . . . 

we note that <7/(A^,aQ = (Aj,aj) together with Ai atomic and Ai £ A^ yield Aj £ Aj, for 
i = 0,1,.... ' □ 

Finally, we prove satisfiability of T in Y by showing that the strategy resulting from 
Lemma 15.161 is a winning strategy for 3 in .M£/r(Y). 

Theorem 5.17. Let f : S(T) x B(T) xQ^ S(r) x Q be a history-free winning strategy for 
3 in Qy, and let Y = (Y,7, h) be the corresponding model of a coherent coalgebra structure 
(Y, 7) for r. Then, Y, (A, a) \= A for all states (A, a) £ <Tj(r,ar) and all formulas A £ T. 

Proof. Let (Ao,ao) £ Y be such that <jy(r,ar) = (Ao,ao), and let Aq £ T. Thus, 
(Aq, (Aq, ao)) is an initial position of A4Qy(^)- Let / be the strategy for 3 at (Aq, (Aq, do)) 
in A4Qy(^) provided by Lemma T5.161 We show that Y, (Ao,ao) |= Aq by showing that 3 
wins all A / (^r(Y)-plays that start at position (Aq, (Ao,ao)) and are played according to /. 

Consider such a play, and assume first that it is finite. Let (A, (A, a)) be its last position 
of type Cl(r) x (S(r) x Q). Thus, the last position of the play is either (A, (A, a)) itself, or 
a V-position of type (V(Bi, . . . , B n ), (U\, . . . , U n )), with Ui = for i = 1, . . . , n. In either 
case, A is atomic (otherwise the play would not be complete). We distinguish the following 
cases: 

(1) A = p for some propositional variable p. By coherence of the valuation, we have p £ A, 
and therefore by the definition of Y we have (A, a) £ h(p), which implies that (p, (A, a)) 
is a winning position for 3. 

(2) A = p. Similar to the previous case. 
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(3) A = ty(Bi, . . . , B n ). According to the definition of 3's strategy /, the last position of 
the play must be a V-position of type . . . , B n ), {U\, . . . , U n )) with Ui = for 

i = 1, . . . ,n (as 3 can always play in positions of type (^(Bi, . . . , B n ), (A, a))). Thus, 
(A, (A, a)) is a winning position for 3. 

It therefore follows that 3 wins all finite A / (^r(Y)-plays that start at (Aq, (Aq,cio)) and are 
played according to /. Now consider an infinite .MC/rOO-play starting at (Aq, (Ao, ao)) 
and played according to /, and let tt be the infinite <7r-play and r be the associated trace 
through 7r provided by Lemma 15.161 It follows from the statement of the lemma that r is 
contractable to the sequence of formulas appearing in the given _M<?r(Y)-play. Since the 
strategy / was winning for 3 in Qy, it follows that any trace through tt, and therefore also r, 
satisfies the parity condition of Qy- As a result, the parity condition of MGrO?) 1S satisfied 
by the given infinite MQ-p(Y)-play, which is thus won by 3. □ 

Theorem 15.81 now follows from Theorem 15.171 and the observation that the sizes of 
both Q and S(r) are bounded by an exponential in the size of Cl(r) (by Lemma 15.21 and 
respectively the definition of S(T)). 

Putting everything together, we obtain a complete characterisation of satisfiability in 
the coalgebraic /i-calculus. 

Theorem 5.18. Suppose that T £ S(A) is a clean, guarded sequent and R is one-step tableau 
complete and contraction closed. Then T is satisfiable iff no tableau for T is closed iff 3 has 
a winning strategy in the tableau game Qt- 

As a by-product, we obtain the following small model property. 

Corollary 5.19. A satisfiable, clean and guarded formula A is satisfiable in a model of size 
C(2P( n )) where n is the cardinality of Cl(^4) and p is a polynomial. 

Proof. The statement follows immediately from Theorems 14.141 15.51 and 15.81 together with 
the determinacy of two player parity games. □ 



6. Complexity 

We now show that - subject to a mild condition on the rule set - the satisfiability problem 
for guarded formulas of the coalgebraic ^-calculus is decidable in exponential time. By 
Theorem l5,18l the satisfiability problem is reducible to the existence of winning strategies in 
parity games. Given any guarded sequent T, we thus construct a parity game of exponential 
size (measured in the size of T), the parity function of which has polynomial range (again 
measured relative to the size of T). This will ensure ExPTiME-decidability if we can decide 
legal moves in this game in exponential time. According to Definition 15. 3\ the game board 
consists of the disjoint union of 

• S(r) x Q (the positions owned by V) where Q is the state set of a T-parity automaton 
and S(r) are the sequents that we can form in the closure of T, and 

• S(r) x B(T) x Q where B(T) are the blueprints of rules with premise in S(r). 

We know that the state set Q of the T-parity automaton is exponential in the size of Cl(r) 
by Lemma [5721 and it is easy to see that S(r) is exponentially bounded. The crucial step for 
obtaining an overall exponential bound is thus the ability to treat rule blueprints. While 
this is simple for many logics (where it is easy to see one only has exponentially many 
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applicable rule/substitution pairs that are of polynomial size), more care is needed for the 
rules of the probabilistic and the graded //-calculus. The main difficulty lies in the fact that 
the conclusions of these rules (Example 14. 5p are sets of sequents that may be exponentially 
large. On the other hand, the conclusions can be represented by (small) linear inequalities, 
as in fact we did in Example S3] for presentational purposes, and leads to an obvious solution. 
Instead of representing rule blueprints associated with modal rules directly, we use a coding 
of modal rules that can be decided efficiently, to obtain an exponential representation of 
the game board. This approach has been used previously in [23] to give PsPACE-bounds for 
coalgebraic logics, and we will refer to op.cit. for some of the technical points. 

In order to be able to speak about the complexity of the satisfiability problem in a 
meaningful way, we begin by formalising the notion of size of formulas and sequents. To 
do this, we assume that the underlying similarity type A is equipped with a size measure 
s : A — > N and measure the size of a formula A in terms of the number of subformulas 
counted with multiplicities, adding sCs?) for every occurrence of a modal operator 0? € A 
in A. In the examples, we code numbers in binary, that is, s({k}) = s([k]) = [log 2 k~\ for 
the graded //-calculus and s((p/q)) = s(jp/q\) = \log 2 p] + |~log 2 q] + 1 for the probabilistic 
//-calculus, and s([a±, . . . , a,k\) = 1 for coalition logic. Note that in the latter case, the 
overall number of agents is fixed, so there will only be finitely many coalitions which allows 
us to assign unit size to every operator. The definition of size is extended to sequents by 
size(r) = Y1a€F size(^) for T G S(A) and size({ri, . . . , T n }) = E"=i size ( r for sets of 
sequents. 

We continue by discussing the mechanism to encode rule blueprints that we did describe 
informally at the beginning of this section. In order to obtain an exponential bound, we 
require that blueprints of modal rules can be encoded by strings of polynomial length. In 
order to have a uniform treatment, we make the following definition. 

Definition 6.1. Suppose that T G S(A). A set R of one-step rules is exponentially tractable 
if there is an alphabet X and a polynomial p such that every b = (r, a) with r = Tq/T\ . . . T n 
can be encoded as a string of length < p(size(rocr)) and the relations 

Ri = {(A, (Tq/Ti ...T n ,a) | Too- C A} 

and 

R 2 = {((A,b), A') | A' is i-th conclusion of p(A,b)} 
are decidable in Exptime (modulo this coding) for all i £ N. 

Exponential tractability gives an upper bound on the size of the board of the tableau game 
and the complexity of both the parity function and the relation determining legal moves. 
The proof of this result requires the following auxiliary lemmas thate establish bounds on 
the closure of the root sequent, and the size of the sequents in the closure, respectively. 

Lemma 6.2. Suppose A G T(A). Then \Cl(A)\ < size(^4). 

Proof. By induction on the structure of A where the only non-trivial case is A = rjp.B for 
r] G {//, u}. To establish the claim, we show that D = {C\p := rjp.A] \ C G Cl(B)} is closed. 
This implies that Cl(^4) C D and the claim follows from the induction hypothesis. □ 

Lemma 6.3. IfT G S(A) and A G S(r) then size(A) < size(r) 3 . 

Proof. The closure of T has at most size(r) many elements, each of which may be larger 
than size(r) as a result of substituting [ip.A for p in A if \ip.A G T. The result follows as 
this can happen at most size(r)-many times. □ 
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We can now formulate, and prove, the annonced encoding of the tableau game as follows. 

Lemma 6.4. Suppose that R is exponentially tractable. Then every position in the tableau 
game Gr = (B^, By, E,Q) of T G S(A) can be represented by a string of polynomial length 
in size(r). Under this coding, the relation (b,b') € E is decidable in exponential time. 

Proof. We know that the state set A of the parity automaton A associated with Gr is 
exponential in size(r), hence every a £ A can be represented by a string of polynomial 
length in size(T). 

As we are now working with the encoding of the game board we think of the automa- 
ton as operating on encodings of rule blueprints rather than on the rule blueprints itself. 
More precisely, we run the automaton not on trace tiles (A,b,z) but on encoded trace tiles 
(code(A), code(b), i) where code(A) is the given encoding of sequents in S(r) and code(b) 
is the encoding of b = (r, a) according to Definition 16.11 if b encodes a modal rule or code(b) 
is the principal formula of the (non-modal) rule represented by b otherwise. 

Every element of the set S(T) can be encoded by a string of polynomial length in size(r) 
by Lemma 16.31 Thus every position (A, a) of B^ can be encoded by a string of polynomial 
length. 

By exponential tractability, every rule blueprint b can be encoded as a string of poly- 
nomial length, leading premise, leading to a polynomial bound on the size of the positions 
(A, b, a) of By. 

To see that E is decidable in exponential time, note that it follows from exponential 
tractability that the moves of V from (A, a) to (A, b, b) are decidable in Exptime by Def- 
inition of tractability. To ensure Exptime decidablity of a move from (A,b,a) to (A', a') 
where b is a blueprint of a modal rule, note that the rule represented by (A, b) has at most 
exponentially many conclusions (measured in the size of A), and as we can check whether 
A' is the i-th conclusion of /?(A, b) in exponential time, we conclude that E is decidable in 
Exptime overall. □ 

We now obtain an Exptime upper bound for satisfiability. 

Corollary 6.5. Suppose T is a monotone A-structure and R is exponentially tractable, con- 
traction closed and one-step tableau complete for T. Then the problem of deciding whether 
3 has a winning strategy in the tableau game for a clean, guarded sequent T E S(A) is 
in Exptime. As a consequence, the same holds for satisfiability of any guarded formula 



Proof. The first assertion follows from Lemma f6,4l as the problem of deciding the winner in a 
parity game is exponential only in the size of the parity function of the game (Theorem 13. ip 
which is polynomial in the size of T (Lemma l5.2p . The second statement now follows with 



Example 6.6. It is easy to see that the rule sets for the modal //-calculus, the coalitional 
//-calculus and the monotone //-calculus are exponentially tractable, as the number of con- 
clusions of each one-step rule is bounded. To establish exponential tractability for the rule 
sets for the graded and probabilistic //-calculus, we argue as in [21] where tractability of the 
(dual) proof rules has been established. We encode a rule with premise Y17=l r * a * < ^ as 
(n, di, . . . , r n , a n , k) and Lemma 6.16 of op. cit. provides a polynomial bound on the size of 
the solutions for the linear inequalities that combine conclusion and side condition of both 
the (G) and (P)-rule. Exponential tractability follows, once we agree on a fixed order on 
the set of prime implicants. In all cases, contraction closure is immediate. 



Aef(A). 




□ 
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7. Conclusions 

In this paper, we have introduced the coalgebraic //-calculus that provides a generic and 
uniform framework for modal fixpoint logics. The calculus takes three parameters: 

• an endofunctor T : Set — > Set that defines the class of T-coalgebras over which the calculus 
is interpreted 

• a collection A of modal operators that defines the syntax of the calculus, and 

• the interpretation of the modal operators over T-coalgebras, which is given by predicate 
liftings for T. 

In this general setting, our main results are soundness and completeness of of the calculus 
and Exptime decidability of the satisfiability problem for guarded formulas. Technically, 
completeness was achieved by tracking the evolution of fixpoint formulas in a tableau, 
and for a closed tableau we require that an outermost least fixpoint is unfolded along 
every infinite branch. To detect these infinite unfoldings of least fixpoints, we use a parity 
automaton that we run in parallel with the tableau, so that the existence of closed tableaux 
can be characterised by winning strategies in a parity game that is played on pairs consisting 
of a sequent and an automaton state. Our treatment borrows from by [17] and [26], but 
there are some important differences. In contrast to |17j . we use parity games that directly 
correspond to tableaux, together with parity automata to detect bad traces. Moreover, 
our model construction super-imposes a coalgebra structure on the relation induced by a 
winning strategy for 3. This model construction is substantially more involved than that 
given in [24], since we cannot argue in terms of modal rank in the presence of fixpoints. 
Compared with [26] (where no complexity results are presented), we use standard syntax 
for modal operators, which allows us to subsume for instance the graded //-calculus that 
cannot be expressed in terms of the V-operator used in op. cit.. By instantiating the generic 
approach to specific logics, that is, by providing instances of the endofunctor T, the set A 
of modal operators and the one-step rules R, we 

• reproduce the complexity bound for the modal //-calculus [9], together with the complete- 
ness of a slight variant of the tableau calculus presented in [T7] , 

• lead to a new proof of the known Exptime bound for the graded //-calculus |21| . 

• establish previously unknown Exptime bounds for the probabilistic //-calculus, for coali- 
tion logic with fixpoints and for the monotone /i-calculus. 

We note that these bounds are tight for all logics except possibly the monotone /i-calculus, 
as the modal //-calculus can be encoded into all other logics. Given that the coalgebraic 
framework is inherently compositional [61 O [23] , our results also apply to (coalgebraic) 
logics that arise by combining various features, such as strategic games and quantitative 
uncertainty. 

As mentioned before we would like to stress that we established the EXPTIME bound 
only for the guarded formulas of the above listed logics. Under the frequently used as- 
sumption that one can transform an arbitrary formula into an equivalent guarded one in 
polynomial or even linear time, we could extend our results to the full logics. In particular, 
note that in [21] precisely this assumption has been used for the graded //-calculus. For 
the modal //-calculus a tableau-based EXPTIME-procedure that works for arbitrary for- 
mulas as input has been presented recently in [TJ]. After careful inspection of our calculus 
we conjecture that our tableau calculus is also sound and complete for arbitrary formulas 
and formula sequents. We have to leave the details of the substantially more complicated 
completeness proof for this general case as future work. 
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